SIP on Outside Interface

Unanswered Question
Oct 5th, 2009

By default, is SIP disabled on outside interface?

Ie.  could someone connect via SIP and make calls?

I remember some technote came out says it was enabled by default on routers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven DiStefano Mon, 10/05/2009 - 08:26

This is a SIP Source Route ACL that we implemented a few CCA releases ago, that requires you add the addresses of only the SIP Trunk SPs Session Border COntrollers, Proxies/Registrars (usually just 2 addresses) so only they can comminucate SIP with the UC500.

Marcos Hernandez Mon, 10/05/2009 - 08:29

By default, any IOS voice capable device listens for SIP traffic on any IP interface. We have added a number of security measures to prevent unauthorized calls, or illegitimate calls, not coming from a valid SIP ITSP. This is all automatically configured by CCA. If you are using CLI, you have to implement these policies manually. More information on:


Maulik Shah Mon, 10/05/2009 - 09:18

To be clear on a few points:

- By default the firewall on the UC500 is enabled on the outside interface and this prevents all SIP traffic from coming in

- Strongly recommend to use CCA to configure the system - some additional tips on this is per below:

The recommendation is to ensure that the firewall is enabled on the UC500 and access passwords are changed from the default to something more secure using the CCA tool. In addition, CCA provides voice security & toll fraud prevention, at multiple levels as below:

1.      Inbound SIP messages are only allowed from IP address or host names of the SIP proxy or registrar servers configured on the SIP Trunk page on CCA. With CCA 2.1, there is an option to add additional IP addresses based on the customer need by going to Configure > Voice > Trunks > SIP Trunk > Advanced.

2.      Inbound calls only work to the predefined DIDs or external numbers configured using inbound dialplan on CCA, SIP calls to any numbers not defined in the dialplan from the internet will fail.

3.      Pre defined Class of Restriction (COR) to enable access control for different classes of users.  International number dialing, for example, may be restricted to specific phones.

Curious - what are you seeing in your setup?

Joseph Chambers Mon, 10/05/2009 - 09:23

I'm not seeing anything funny on mine.

I heard from another partner about customer using CME that got hit, so that got me thinking about it.


This Discussion

Related Content