Security concern in CME 4.0

Unanswered Question
Apr 9th, 2007

Why are tcp ports 1720 and 2000 listenig on interface ATM0/1/0.2 in this configuration?

What are the risks?

Should I use an access-list to protect them?

!

controller E1 0/0/0

framing NO-CRC4

pri-group timeslots 1-10,16

vlan internal allocation policy ascending

!

interface GigabitEthernet0/0

ip address 192.168.144.158 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

duplex auto

speed auto

no mop enabled

h323-gateway voip interface

!

interface Serial0/0/0:15

no ip address

encapsulation hdlc

isdn switch-type primary-net5

isdn incoming-voice voice

no cdp enable

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.2 point-to-point

ip address 80.x.x.103 255.255.255.0

ip mtu 1492

ip nat outside

ip virtual-reassembly

no snmp trap link-status

pvc 8/32

encapsulation aal5snap

!

!

ip route 0.0.0.0 0.0.0.0 80.80.80.2

!

dial-peer voice 2 voip

destination-pattern .T

session target ipv4:192.168.144.158

dtmf-relay h245-alphanumeric

codec g711alaw

!

dial-peer voice 1001 pots

destination-pattern T

direct-inward-dial

port 0/0/0:15

no register e164

!

gateway

timer receive-rtp 1200

!

telephony-service

load 7960-7940 P0030702T023

load 7912 CP7912080001SCCP051117A

max-ephones 24

max-dn 48

ip source-address 192.168.144.158 port 2000

service dnis overlay

url directories http://192.168.144.158/localdirectory

user-locale ES

network-locale ES

time-zone 28

time-format 24

date-format dd-mm-yy

max-conferences 8 gain -6

moh music-on-hold.au

web admin system name name password pass

transfer-system full-consult

night-service code *1900

directory last-name-first

create cnf-files version-stamp 7960 Apr 12 2006 17:23:22

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Tue, 04/10/2007 - 00:23

Hi,

1720 is h.323 and 2000 is SCCP. You may want to restrict the first to avoid casual calls if you are facing the internet. Port 2000 is much less an issue because to place calls the phone need to be registered that is fully configured in the system, or auto-reg, auto-assign enabled.

Hope this helps, Please rate all useful posts!

Actions

This Discussion