11-22-2008 02:36 PM
I have several 2800 Voice Gateways in several regions. How can I protect my H.323 GW? these Gateways have public IP addresses. Can I control or Authenticate my VOIP Gateways in order to eliminate a rogue Gateway can connect to my Gateway and they can make calls?
11-23-2008 04:10 PM
You need to at a minimum create an ACL to prevent H323 traffic that originate from the internet from going into your gateway and only allow those from your sites.
11-23-2008 06:21 PM
As far as I know. GK is the only solution. Access-list can not prevent Dial peer hacking
11-24-2008 03:02 AM
Hi,
I don't know whether this is a possibility but you could add a gatekeeper to authenticate requests via AAA? That way all the gateways would have to securely register with the gatekeeper.
This can also be intergrated with a radius server (i.e. ACS) if you have one?
11-24-2008 07:23 AM
I appreciate you response, would you have a link with a example of how integrate the GK with CSACS in what version of CSACS is?
11-24-2008 07:54 AM
Do you know the IP address of all gateways authorize to send calls (signaling) to the other one? if so, you may consider an access-list.
if the answer is yes, you may consider somthing limiting access per port per IP address for example. here is some port information to assist you:
H.323/H.225 = TCP 1720
H.323/H.245 = TCP 11xxx (Standard Connect)
H.323/H.245 = TCP 1720 (Fast Connect)
H.323/H.225 RAS = TCP 1719
SCCP = TCP 2000-2002 (CM Encore)
ICCP = TCP 8001-8002 (CM Encore)
MGCP = UDP 2427, TCP 2428 (CM Encore)
SIP= UDP 5060, TCP 5060 (configurable)
I get it from http://www.cisco.com/en/US/tech/tk652/tk698/technologies_configuration_example09186a0080094af9.shtml
regards,
daniel
11-24-2008 08:07 AM
Daniel,
Access-list is not good idea to prevent dial peer hacking. Here is one scenario - Both A and B need send H.323 calls to C, how can you use access-list to prevent A hacks B's account in C?
11-24-2008 08:44 AM
Jack,
I was considering an outside attacker and not someone from the company. not someone from this cloud of Cisco Gateways.
if the problem is inside the network, what do you think about AAA (radius)?
11-24-2008 08:54 AM
Daniel,
The scenario I mentioned is indeed for hacking from outside. I thought AAA is not power enough to prevent such attack. Could you advise how to use AAA in such scenario?
11-25-2008 01:28 AM
HI
You can use source-ip based dial-peer to using voice source-group, access-list and translation rules.
Example:
voice source-group customer1
access-list 50
translation-profile incoming 50
voice source-group customer2
access-list 40
translation-profile incoming 40
rgds,
Ismo
11-25-2008 08:15 AM
I was looking for a complete example of this command voice source-group, but I dont find it. So this command is for using a ACL where you specify the IP of Remote Gateway in order to ensure only this Gateway can do calls for the translation profile?
Could send me more details how use this command, by the way I have a CS ACS for AAA.
The challenge is be able to identified or permit the uses of the prefix for client but only from a known ip address of GW.
11-26-2008 12:48 AM
Below are simple example, where prefix 7 or 8 are added to using that feature.
access-list 1 permit 1.2.3.4 0.0.0.255
access-list 2 permit 3.4.5.6 0.0.0.255
voice source-group 1234
access-list 1
disconnect-cause invalid-number
translation-profile incoming 1
voice source-group 3456
access-list 2
disconnect-cause invalid-number
translation-profile incoming 2
voice translation-profile 1
translate called 1
voice translation-profile 2
translate called 2
voice translation-rule 1
rule 1 /^1\(.*\)/ /81\1/ type any subscriber plan any isdn
voice translation-rule 2
rule 1 /^1\(.*\)/ /71\1/ type any subscriber plan any isdn
dial-peer voice 1 voip
destination-pattern 8T
dial-peer voice 2 voip
destination-pattern 7T
11-26-2008 04:05 AM
Ismo,
Very good example.
Daniel
11-26-2008 06:00 AM
I think this solution is good for IP2IP scenario, what about IP->TDM?
Suppose ISDN T1-A must take calls from IP 1.2.3.4/24 and ISDN T1-B must take calls from IP 3.4.5.6/24.
11-26-2008 06:14 AM
sir,
you can send calls from these gateways with different tech prefixes and strip in the correct E1 to deliver the calls.
Regards,
Daniel