International Fraud

Answered Question
Jun 3rd, 2009

We recently upgraded one of our clients UC520 to 20T2 and now they were recently notifed by their ISP (Cbeyond) that there has been some International calling from their end.    Here is the dial-peer for all incoming calls

dial-peer voice 1000 voip

description ** Incoming call from SIP trunk **

translation-profile incoming CUE_Incoming

voice-class codec 1

voice-class sip dtmf-relay force rtp-nte

session protocol sipv2

session target sip-server

incoming called-number .%

dtmf-relay rtp-nte

ip qos dscp cs5 media

ip qos dscp cs4 signaling

no vad

There is no "permission term" to prevent hairpinning, and I believe that "permission term" causes other issues.  Has these issues been resolved?  Or are their other solutions to prevent International calling fraud?

I have this problem too.
0 votes
Correct Answer by Marcos Hernandez about 7 years 4 months ago

Reconfiguring your SIP trunk on CCA 1.9 or CCA 2.0 will push the necessary CLI. Please use 2.0.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Marcos Hernandez Wed, 06/03/2009 - 09:49

In CCA 1.9 we introduced a mechanism using a voice source group, to only allow calls from the IP of the ITSP. Additionally, we translate inbound calls into the site that start with the access code, to an undialable number. Almost never should you see inbound calls from the SIP side that start with your outbound access code.



brandon.kallas Wed, 06/03/2009 - 09:52

Does this only work when you build a system from scratch via CCA 1.9?   What needs to be done to the configuration if you upgraded an existing configuration using 1.9?

Correct Answer
Marcos Hernandez Wed, 06/03/2009 - 09:54

Reconfiguring your SIP trunk on CCA 1.9 or CCA 2.0 will push the necessary CLI. Please use 2.0.



brandon.kallas Wed, 06/03/2009 - 10:01

So, every customer that we recently upgraded to 20T2, also needs to have their dial-peers reconfigured using CCA 2.0??   Is there anything else that was added to 1.9 and 2.0 that we need to be aware up that did not get reconfigured in the upgrade.

brandon.kallas Wed, 06/03/2009 - 11:25

What are the commands that need to be added via CLI?   Or is this something that is better doing through CCA?  If so, then are their instructions on how to modify the dial-peers so that no other configurations are altered via CCA?

Marcos Hernandez Wed, 06/03/2009 - 11:38

The CLI looks something like this ( is the SIP Proxy IP):


voice source-group CCA_SIP_SOURCE_GROUP
  access-list 2
  translation-profile incoming SIP_Incoming

voice translation-rule 411
rule 1 /^9\(.*\)/ /ABCD9\1/
voice translation-rule 412
rule 1 /^ABCD\(.*\)/ /\1/

access-list 2 permit
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit
access-list 2 permit
access-list 2 deny   any

voice translation-profile SIP_Incoming
translate called 411
voice translation-profile SIP_Passthrough
translate called 412

dial-peer voice 1003 voip
description ** Passthrough Inbound Calls from CUE **
translation-profile incoming SIP_Passthrough
session protocol sipv2
session target ipv4:
incoming called-number ABCDT
dtmf-relay sip-notify
codec g711ulaw
no vad

Maulik Shah Wed, 06/03/2009 - 16:24

There are additional checks that CCA adds such as it locks down the firewall on WAN interface as well to only allow SIP traffic from specific IP addresses. Would recommend you use CCA to delete and re add the SIP Trunk provider (you would need to re add the inbound DID mapping and outbound dialplan settings) - this will give you the best results even if its a bit more work.

Marcos Hernandez Thu, 06/04/2009 - 08:36


The ACL is typically ACL 104 applied in teh inbound direction on the FE0/0 interface. Make sure you have an entry to allow SIP traffic from the ITSP.




This Discussion