cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.
424
Views
0
Helpful
6
Replies
Enthusiast

SIP - Firewall/ACLs

We had some weird issues with one of our UC320's over the weekend... I won't get into the details of that, but I noticed something while working on it -- there was a bunch of attempted toll-fraud showing in the SIP logs. None of it was completing, but I am curious why it is even there; it was my understanding that the UC320 automatically blocked all SIP except for your providers IP via its firewall. Is that not the case? Has anyone else seen this?

Thanks.

6 REPLIES 6
Frequent Contributor

SIP - Firewall/ACLs

Hi Daniel,

What PMFs are installed on the system?  (Status -> Device -> Alter PMFs)  We did release a PMF that disables the restrict SIP source IP address capability as it was required by some customers.

Chris

Enthusiast

SIP - Firewall/ACLs

The only PMF we have is "Offer Release Candidates".

Is attempted fraud traffic in the SIP logs unexpected behavior?

It is not clear if fraud is restricted at the firewall level or at the SIP level.

(Meaning -- is the traffic outright blocked, or does the SIP server just reject calls from incorrect IPs)

Frequent Contributor

SIP - Firewall/ACLs

Hi Daniel,

The SIP messaging is restricted to only being accepted from the proxy(s) IP/FQDN in the SIP trunk pages.  SIP messaging traffic from other source IPs is logged and discarded.

It is logged because in some SIP providers they may actually originate SIP traffic to the UC320 from different IPs.  You will also see probing from the Internet on SIP ports to see if there is an exposure to exploit.  I see this on my home system all the time.

Chris

Enthusiast

SIP - Firewall/ACLs

Thanks Chris, that makes sense.

It was the first time we have seen such traffic, so I wanted to check.

Its odd, I don't know about anyone else, but we have seen a HUGE increase in attempted fraud traffic in the last few weeks.

Beginner

Re: SIP - Firewall/ACLs

So is there a PMF that deals with toll fraud that I should add or is the UC320 safe?

Sent from Cisco Technical Support iPhone App

Highlighted
Frequent Contributor

Re: SIP - Firewall/ACLs

Hi Jack,

No, you don't need to install a PMF.  There are no services in the UC320W that allow the capabilitiy of hairpinning calls to dialed (non-programmed) addresses.  The built in capability described above means that we only accept SIP traffic from your configured SIP Provider's proxy IP address(es).  All other rogue inbound SIP traffic is quietly discarded.

Chris