cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
794
Views
0
Helpful
4
Replies
vinh.nguyen
Beginner

reject sip/h323 calls by IP?

i have a few sip/h323 providers. I have also enabled sip/h323 on my as5400xm(this is for my asterisk server). Since i'm using these providers, i have to put their IP in my access-list. my concern is, since my gateway is accepting sip/h323 calls. what if these provider send the calls to my gateway? so i was thinking of a way to restrict this. It could be as simple as tweaking the access-list. but I don't know. Please help.

here's how i have my access-list setup:

access-list 101 permit tcp host 10.10.10.10 any
access-list 101 permit udp host 10.10.10.10 any
access-list 101 permit udp any any range 16384 32767
access-list 101 deny   tcp any any
access-list 101 deny   udp any any

Thanks in advance

4 REPLIES 4
mrdogantr
Beginner

Hi,

    can you  make test call and post "debug ccsip messages" output.

hth

Muammer

Steven Holl
Cisco Employee

You want to reject specific calls?  You won't use an ACL for that, since it needs to be done at the voice level.

Take a look at this:

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a00803f818a.shtml#con13

the link you provided is for dialpeer to reject certain #. I wanted to reject based on the IP of the other calling party.

Ah, so you just want to restrict VoIP calls from L3 addresses other than your provider?

That's just a simple ACL to open up traffic to your SIP ITSP's IP external addresses, and block anything else.

You can get what IPs and ports are used by your provider, but here is what you need open on the Cisco side inbound for an inbound ACL on a WAN interface:

UDP - ITSP address:ITSP SIP Port to External interface:5060 - For SIP signaling

ITSP address:ITSP RTP Port Range - External interface:16384-32767 - RTP traffic

ITSP's port range could be anything between 1024-65535.  SIP usually comes from UDP/5060 from the ITSP, but doesn't have to.  Verify with them, or look at a SIP debug or packet capture to verify.

The implicit deny will take care of everything else.