Solved: Cisco 9971 SIP security Issue

cameronalan · ‎12-09-2013

HI,

I am looking for a little help with this all input is welcome.

I have a UC540W and a number of endpoints all are 79xx series using sccp. only one is a 9971 sip handset.

I have configured the unit using the Cisco configuration assistant version 3.2, this created the base and then I have manually altered parts of the config.

ITSP - VoIP Unlimited

With the config in for the 9971 to conenct the phone works perfectly but we keep getting toll fraud. I have tested with the xlite client installed on a pc at my home and I can connect and call numbers internally and external to the business with out using any auth information.

I then added the line below to the voice service voip (bind control source-interface BVI10) and the external client can no longer compleate a call but can still try and dial as it rings but drops the call before it can compleate.

I also have entered the trusted IP address which in this case is one of the servers at VoIP Unlimited. but this hasn't helped.

I am not sure how else to lock this down and stop people gaining access to this.for now I have removed the endpoint from the system and will set it back up once we get a solution to this. (may be somthing I have overlooked)

voice service voip

ip address trusted list

ipv4 91.151.2.130

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

supplementary-service h450.12

no supplementary-service sip moved-temporarily

no supplementary-service sip refer

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-throug

h g711ulaw

sip

bind control source-interface BVI100

registrar server expires max 3600 min 3600

localhost dns:sip.voip-unlimited.net

outbound-proxy dns:sip.voip-unlimited.net

no update-callerid

voice register dn 1

translation-profile incoming SIP_Passthrough

number 201

call-forward b2bua busy 399

call-forward b2bua noan 399 timeout 20

call-forward b2bua unregistered 399

name Ross Toner

no-reg

label Ross 201

!

voice register pool 1

id mac XXXX.XXXX.XXXX

session-transport tcp

type 9971

number 1 dn 1

dtmf-relay rtp-nte

username ross password W***************

codec g711ulaw

camera

video

Any Help would be greatly appreachiated.

Cheers

Alan.

johschaf · ‎12-09-2013

Hello,

You will probably need to fix this with an ACL on your WAN port. This isn't so much an issue with the SIP endpoint configuration, but an issue with the network configuration on the UC itself. In addition, the registration of your SIP endpoint should still be controlled by the UC before allowing calls to be made.

The voice service voip trusted list only prevents call setups from the IPs not listed. Since the SIP phone isn't sending a call setup the call is still permitted.

Toll-Fraud Prevention Feature in IOS Release 15.1(2)T

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a0080b3e123.shtml

Hope this helps.

Thanks,

-john

View solution in original post

johschaf · ‎12-09-2013

Hello,

You will probably need to fix this with an ACL on your WAN port. This isn't so much an issue with the SIP endpoint configuration, but an issue with the network configuration on the UC itself. In addition, the registration of your SIP endpoint should still be controlled by the UC before allowing calls to be made.

The voice service voip trusted list only prevents call setups from the IPs not listed. Since the SIP phone isn't sending a call setup the call is still permitted.

Toll-Fraud Prevention Feature in IOS Release 15.1(2)T

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a0080b3e123.shtml

Hope this helps.

Thanks,

-john

cameronalan · ‎12-09-2013

Hi John,

Thanks for that I think it'll be an ACL Issue. I don't fully understand the acl so I have basic routing but never setup the acl. so I'll have to learn a little bit.

cheers

Alan