06-03-2009 09:41 AM - edited 03-21-2019 01:10 AM
We recently upgraded one of our clients UC520 to 20T2 and now they were recently notifed by their ISP (Cbeyond) that there has been some International calling from their end. Here is the dial-peer for all incoming calls
dial-peer voice 1000 voip
description ** Incoming call from SIP trunk **
translation-profile incoming CUE_Incoming
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
incoming called-number .%
dtmf-relay rtp-nte
ip qos dscp cs5 media
ip qos dscp cs4 signaling
no vad
There is no "permission term" to prevent hairpinning, and I believe that "permission term" causes other issues. Has these issues been resolved? Or are their other solutions to prevent International calling fraud?
Solved! Go to Solution.
06-03-2009 09:54 AM
Reconfiguring your SIP trunk on CCA 1.9 or CCA 2.0 will push the necessary CLI. Please use 2.0.
Thanks,
Marcos
06-03-2009 09:49 AM
In CCA 1.9 we introduced a mechanism using a voice source group, to only allow calls from the IP of the ITSP. Additionally, we translate inbound calls into the site that start with the access code, to an undialable number. Almost never should you see inbound calls from the SIP side that start with your outbound access code.
Thanks,
Marcos
06-03-2009 09:52 AM
Does this only work when you build a system from scratch via CCA 1.9? What needs to be done to the configuration if you upgraded an existing configuration using 1.9?
06-03-2009 09:54 AM
Reconfiguring your SIP trunk on CCA 1.9 or CCA 2.0 will push the necessary CLI. Please use 2.0.
Thanks,
Marcos
06-03-2009 10:01 AM
So, every customer that we recently upgraded to 20T2, also needs to have their dial-peers reconfigured using CCA 2.0?? Is there anything else that was added to 1.9 and 2.0 that we need to be aware up that did not get reconfigured in the upgrade.
06-03-2009 10:08 AM
I am not aware of anything else.
Marcos
06-03-2009 11:25 AM
What are the commands that need to be added via CLI? Or is this something that is better doing through CCA? If so, then are their instructions on how to modify the dial-peers so that no other configurations are altered via CCA?
06-03-2009 11:38 AM
The CLI looks something like this (20.20.20.20 is the SIP Proxy IP):
!
voice source-group CCA_SIP_SOURCE_GROUP
access-list 2
translation-profile incoming SIP_Incoming
!
voice translation-rule 411
rule 1 /^9\(.*\)/ /ABCD9\1/
!
voice translation-rule 412
rule 1 /^ABCD\(.*\)/ /\1/
!
access-list 2 permit 20.20.20.20
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 2 deny any
!
voice translation-profile SIP_Incoming
translate called 411
!
voice translation-profile SIP_Passthrough
translate called 412
!
dial-peer voice 1003 voip
description ** Passthrough Inbound Calls from CUE **
translation-profile incoming SIP_Passthrough
b2bua
session protocol sipv2
session target ipv4:10.1.10.1
incoming called-number ABCDT
dtmf-relay sip-notify
codec g711ulaw
no vad
!
06-03-2009 04:24 PM
There are additional checks that CCA adds such as it locks down the firewall on WAN interface as well to only allow SIP traffic from specific IP addresses. Would recommend you use CCA to delete and re add the SIP Trunk provider (you would need to re add the inbound DID mapping and outbound dialplan settings) - this will give you the best results even if its a bit more work.
06-04-2009 08:36 AM
Brandon,
The ACL is typically ACL 104 applied in teh inbound direction on the FE0/0 interface. Make sure you have an entry to allow SIP traffic from the ITSP.
Thanks,
Marcos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide