cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8261
Views
10
Helpful
6
Replies

VoIP Access List

Hello,

Right now I have this access list applied to my Cisco GW:

access-list 100 permit tcp host Y.Y.Y.Y host X.X.X.X eq 1719

access-list 100 permit tcp host Y.Y.Y.Y host X.X.X.X eq 1720

access-list 100 permit udp host Y.Y.Y.Y host X.X.X.X eq 5060

access-list 100 permit udp host Y.Y.Y.Y host X.X.X.X eq 5061

access-list 100 deny tcp any any eq 1719

access-list 100 deny tcp any any eq 1720

access-list 100 deny udp any any eq 5060

access-list 100 deny udp any any eq 5061

access-list 100 permit ip any any

As far as I know, Cisco GWs can negotiate H.323 thru any UDP port. So, am I having problems (fraude) with the last IP ANY ANY?

Thank you very much in advance.

6 Replies 6

Chris Deren
Hall of Fame
Hall of Fame

H323 Voice GW use port TCP 1720 for communication, no other ports. You may be confused with UDP RTP ports 16384-32767 range. Port 1719 is only used for Gatekeeper RAS. So, your config looks fine, assuming you only want to block H323 and SIP traffic on the GW.

HTH,

Chris

jaregalado
Level 1
Level 1

Hello,

There is an extensive application note on toll fraud prevention for Callmanager Express which also applies partially to standalone VoIP gateways. Regarding H323 and SIP security (your current issue) the issues are the same for CME and VoIP gateways.

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml#h323

Basically block outside access to any untrusted/unkwnown device.

You may also take a look at the recommended security practices on the CME Solution Reference Network Design Guide.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html#wp1077429

Regards. Saludos..

Your access list is missing SIP TCP port 5060. The gateway will listen on TCP 1720, and UDP and TCP 5060 by default. If you have a bound interface for SIP, only that ip address will listen.

It looks like your access list is still allowing TCP port 5060.

There are a number of incidents where we see attacks on SIP ports on public IP addresses that will try to hairpin calls through gateways. If you have a public IP, make sure you block all TCP/UDP 5060 and TCP 1720.

hth,

nick

Thank you all for the answers.

People I know, have experienced security issues using Cisco GWs (with the previous access list apllied) when:

- Someone tries to setup a call in H.323 (without RAS) using a different port from the well known port. For example, using TCP port 1750.

- Someone tries to setup a call in SIP using a different port from the well known port. For example, using UDP port 5070.

Is this possible? Do Cisco GWs allow this behavior?

Thanks!

Those ports are not open by default. The router will return port unreachable.

Check your open ports with:

show tcp brief

show udp

If the packets come to a different port it will not be allowed.

hth,

nick

Whats the procedure to open this ports?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: