Solved: International Fraud

brandon.kallas · ‎06-03-2009

We recently upgraded one of our clients UC520 to 20T2 and now they were recently notifed by their ISP (Cbeyond) that there has been some International calling from their end. Here is the dial-peer for all incoming calls

dial-peer voice 1000 voip

description ** Incoming call from SIP trunk **

translation-profile incoming CUE_Incoming

voice-class codec 1

voice-class sip dtmf-relay force rtp-nte

session protocol sipv2

session target sip-server

incoming called-number .%

dtmf-relay rtp-nte

ip qos dscp cs5 media

ip qos dscp cs4 signaling

no vad

There is no "permission term" to prevent hairpinning, and I believe that "permission term" causes other issues. Has these issues been resolved? Or are their other solutions to prevent International calling fraud?

Marcos Hernandez · ‎06-03-2009

Reconfiguring your SIP trunk on CCA 1.9 or CCA 2.0 will push the necessary CLI. Please use 2.0.

Thanks,

Marcos

View solution in original post

Marcos Hernandez · ‎06-03-2009

In CCA 1.9 we introduced a mechanism using a voice source group, to only allow calls from the IP of the ITSP. Additionally, we translate inbound calls into the site that start with the access code, to an undialable number. Almost never should you see inbound calls from the SIP side that start with your outbound access code.

Thanks,

Marcos

brandon.kallas · ‎06-03-2009

Does this only work when you build a system from scratch via CCA 1.9? What needs to be done to the configuration if you upgraded an existing configuration using 1.9?

Marcos Hernandez · ‎06-03-2009

Reconfiguring your SIP trunk on CCA 1.9 or CCA 2.0 will push the necessary CLI. Please use 2.0.

Thanks,

Marcos

brandon.kallas · ‎06-03-2009

So, every customer that we recently upgraded to 20T2, also needs to have their dial-peers reconfigured using CCA 2.0?? Is there anything else that was added to 1.9 and 2.0 that we need to be aware up that did not get reconfigured in the upgrade.

Marcos Hernandez · ‎06-03-2009

I am not aware of anything else.

Marcos

brandon.kallas · ‎06-03-2009

What are the commands that need to be added via CLI? Or is this something that is better doing through CCA? If so, then are their instructions on how to modify the dial-peers so that no other configurations are altered via CCA?

Marcos Hernandez · ‎06-03-2009

The CLI looks something like this (20.20.20.20 is the SIP Proxy IP):

!

voice source-group CCA_SIP_SOURCE_GROUP
access-list 2
translation-profile incoming SIP_Incoming

!
voice translation-rule 411
rule 1 /^9\(.*\)/ /ABCD9\1/
!
voice translation-rule 412
rule 1 /^ABCD\(.*\)/ /\1/
!

access-list 2 permit 20.20.20.20
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 2 deny any

!
voice translation-profile SIP_Incoming
translate called 411
!
voice translation-profile SIP_Passthrough
translate called 412
!

dial-peer voice 1003 voip
description ** Passthrough Inbound Calls from CUE **
translation-profile incoming SIP_Passthrough
b2bua
session protocol sipv2
session target ipv4:10.1.10.1
incoming called-number ABCDT
dtmf-relay sip-notify
codec g711ulaw
no vad
!

Maulik Shah · ‎06-03-2009

There are additional checks that CCA adds such as it locks down the firewall on WAN interface as well to only allow SIP traffic from specific IP addresses. Would recommend you use CCA to delete and re add the SIP Trunk provider (you would need to re add the inbound DID mapping and outbound dialplan settings) - this will give you the best results even if its a bit more work.

Marcos Hernandez · ‎06-04-2009

Brandon,

The ACL is typically ACL 104 applied in teh inbound direction on the FE0/0 interface. Make sure you have an entry to allow SIP traffic from the ITSP.

Thanks,

Marcos