Showing results for 
Search instead for 
Did you mean: 

SIP - Firewall/ACLs


We had some weird issues with one of our UC320's over the weekend... I won't get into the details of that, but I noticed something while working on it -- there was a bunch of attempted toll-fraud showing in the SIP logs. None of it was completing, but I am curious why it is even there; it was my understanding that the UC320 automatically blocked all SIP except for your providers IP via its firewall. Is that not the case? Has anyone else seen this?


6 Replies 6

Christopher Edgeworth
Frequent Contributor
Frequent Contributor

Hi Daniel,

What PMFs are installed on the system?  (Status -> Device -> Alter PMFs)  We did release a PMF that disables the restrict SIP source IP address capability as it was required by some customers.


The only PMF we have is "Offer Release Candidates".

Is attempted fraud traffic in the SIP logs unexpected behavior?

It is not clear if fraud is restricted at the firewall level or at the SIP level.

(Meaning -- is the traffic outright blocked, or does the SIP server just reject calls from incorrect IPs)

Hi Daniel,

The SIP messaging is restricted to only being accepted from the proxy(s) IP/FQDN in the SIP trunk pages.  SIP messaging traffic from other source IPs is logged and discarded.

It is logged because in some SIP providers they may actually originate SIP traffic to the UC320 from different IPs.  You will also see probing from the Internet on SIP ports to see if there is an exposure to exploit.  I see this on my home system all the time.


Thanks Chris, that makes sense.

It was the first time we have seen such traffic, so I wanted to check.

Its odd, I don't know about anyone else, but we have seen a HUGE increase in attempted fraud traffic in the last few weeks.

Jack Germanos

So is there a PMF that deals with toll fraud that I should add or is the UC320 safe?

Sent from Cisco Technical Support iPhone App

Hi Jack,

No, you don't need to install a PMF.  There are no services in the UC320W that allow the capabilitiy of hairpinning calls to dialed (non-programmed) addresses.  The built in capability described above means that we only accept SIP traffic from your configured SIP Provider's proxy IP address(es).  All other rogue inbound SIP traffic is quietly discarded.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers