Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
0
Helpful
4
Replies

reject sip/h323 calls by IP?

vinh.nguyen
Level 1
Level 1

‎04-26-2011 10:33 PM

i have a few sip/h323 providers. I have also enabled sip/h323 on my as5400xm(this is for my asterisk server). Since i'm using these providers, i have to put their IP in my access-list. my concern is, since my gateway is accepting sip/h323 calls. what if these provider send the calls to my gateway? so i was thinking of a way to restrict this. It could be as simple as tweaking the access-list. but I don't know. Please help.

here's how i have my access-list setup:

access-list 101 permit tcp host 10.10.10.10 any
access-list 101 permit udp host 10.10.10.10 any
access-list 101 permit udp any any range 16384 32767
access-list 101 deny   tcp any any
access-list 101 deny   udp any any

Thanks in advance

Labels:
0 Helpful
4 Replies 4

mrdogantr
Level 1
Level 1

‎04-27-2011 05:23 AM

Hi,

    can you  make test call and post "debug ccsip messages" output.

hth

Muammer

0 Helpful

Steven Holl
Cisco Employee
Cisco Employee

‎05-11-2011 11:57 AM

You want to reject specific calls?  You won't use an ACL for that, since it needs to be done at the voice level.

Take a look at this:

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a00803f818a.shtml#con13

0 Helpful

vinh.nguyen
Level 1
Level 1
In response to Steven Holl

‎05-11-2011 04:54 PM

the link you provided is for dialpeer to reject certain #. I wanted to reject based on the IP of the other calling party.

0 Helpful

Steven Holl
Cisco Employee
Cisco Employee
In response to vinh.nguyen

‎05-12-2011 06:11 AM

Ah, so you just want to restrict VoIP calls from L3 addresses other than your provider?

That's just a simple ACL to open up traffic to your SIP ITSP's IP external addresses, and block anything else.

You can get what IPs and ports are used by your provider, but here is what you need open on the Cisco side inbound for an inbound ACL on a WAN interface:

UDP - ITSP address:ITSP SIP Port to External interface:5060 - For SIP signaling

ITSP address:ITSP RTP Port Range - External interface:16384-32767 - RTP traffic

ITSP's port range could be anything between 1024-65535.  SIP usually comes from UDP/5060 from the ITSP, but doesn't have to.  Verify with them, or look at a SIP debug or packet capture to verify.

The implicit deny will take care of everything else.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents