12-30-2008 09:17 AM - edited 03-15-2019 03:16 PM
Hello,
Right now I have this access list applied to my Cisco GW:
access-list 100 permit tcp host Y.Y.Y.Y host X.X.X.X eq 1719
access-list 100 permit tcp host Y.Y.Y.Y host X.X.X.X eq 1720
access-list 100 permit udp host Y.Y.Y.Y host X.X.X.X eq 5060
access-list 100 permit udp host Y.Y.Y.Y host X.X.X.X eq 5061
access-list 100 deny tcp any any eq 1719
access-list 100 deny tcp any any eq 1720
access-list 100 deny udp any any eq 5060
access-list 100 deny udp any any eq 5061
access-list 100 permit ip any any
As far as I know, Cisco GWs can negotiate H.323 thru any UDP port. So, am I having problems (fraude) with the last IP ANY ANY?
Thank you very much in advance.
12-30-2008 09:49 AM
H323 Voice GW use port TCP 1720 for communication, no other ports. You may be confused with UDP RTP ports 16384-32767 range. Port 1719 is only used for Gatekeeper RAS. So, your config looks fine, assuming you only want to block H323 and SIP traffic on the GW.
HTH,
Chris
12-30-2008 09:54 AM
Hello,
There is an extensive application note on toll fraud prevention for Callmanager Express which also applies partially to standalone VoIP gateways. Regarding H323 and SIP security (your current issue) the issues are the same for CME and VoIP gateways.
http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml#h323
Basically block outside access to any untrusted/unkwnown device.
You may also take a look at the recommended security practices on the CME Solution Reference Network Design Guide.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html#wp1077429
Regards. Saludos..
12-30-2008 05:20 PM
Your access list is missing SIP TCP port 5060. The gateway will listen on TCP 1720, and UDP and TCP 5060 by default. If you have a bound interface for SIP, only that ip address will listen.
It looks like your access list is still allowing TCP port 5060.
There are a number of incidents where we see attacks on SIP ports on public IP addresses that will try to hairpin calls through gateways. If you have a public IP, make sure you block all TCP/UDP 5060 and TCP 1720.
hth,
nick
01-08-2009 10:44 AM
Thank you all for the answers.
People I know, have experienced security issues using Cisco GWs (with the previous access list apllied) when:
- Someone tries to setup a call in H.323 (without RAS) using a different port from the well known port. For example, using TCP port 1750.
- Someone tries to setup a call in SIP using a different port from the well known port. For example, using UDP port 5070.
Is this possible? Do Cisco GWs allow this behavior?
Thanks!
01-08-2009 12:39 PM
Those ports are not open by default. The router will return port unreachable.
Check your open ports with:
show tcp brief
show udp
If the packets come to a different port it will not be allowed.
hth,
nick
01-08-2009 01:50 PM
Whats the procedure to open this ports?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: