Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1570
Views
0
Helpful
4
Replies

SIP on Outside Interface

Joseph Chambers
Level 1
Level 1

‎10-05-2009 08:11 AM - edited ‎03-21-2019 01:36 AM

By default, is SIP disabled on outside interface?

Ie.  could someone connect via SIP and make calls?

I remember some technote came out says it was enabled by default on routers.

https://supportforums.cisco.com/docs/DOC-3031

Labels:
0 Helpful
4 Replies 4

Steven DiStefano
VIP Alumni
VIP Alumni

‎10-05-2009 08:26 AM

This is a SIP Source Route ACL that we implemented a few CCA releases ago, that requires you add the addresses of only the SIP Trunk SPs Session Border COntrollers, Proxies/Registrars (usually just 2 addresses) so only they can comminucate SIP with the UC500.

0 Helpful

Marcos Hernandez
Level 8
Level 8

‎10-05-2009 08:29 AM

By default, any IOS voice capable device listens for SIP traffic on any IP interface. We have added a number of security measures to prevent unauthorized calls, or illegitimate calls, not coming from a valid SIP ITSP. This is all automatically configured by CCA. If you are using CLI, you have to implement these policies manually. More information on:

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/products_tech_note09186a00809dc487.shtml

Marcos

0 Helpful

Maulik Shah
Level 5
Level 5

‎10-05-2009 09:18 AM

To be clear on a few points:

- By default the firewall on the UC500 is enabled on the outside interface and this prevents all SIP traffic from coming in

- Strongly recommend to use CCA to configure the system - some additional tips on this is per below:

The recommendation is to ensure that the firewall is enabled on the UC500 and access passwords are changed from the default to something more secure using the CCA tool. In addition, CCA provides voice security & toll fraud prevention, at multiple levels as below:

1.      Inbound SIP messages are only allowed from IP address or host names of the SIP proxy or registrar servers configured on the SIP Trunk page on CCA. With CCA 2.1, there is an option to add additional IP addresses based on the customer need by going to Configure > Voice > Trunks > SIP Trunk > Advanced.

2.      Inbound calls only work to the predefined DIDs or external numbers configured using inbound dialplan on CCA, SIP calls to any numbers not defined in the dialplan from the internet will fail.

3.      Pre defined Class of Restriction (COR) to enable access control for different classes of users.  International number dialing, for example, may be restricted to specific phones.


Curious - what are you seeing in your setup?

0 Helpful

Joseph Chambers
Level 1
Level 1
In response to Maulik Shah

‎10-05-2009 09:23 AM

I'm not seeing anything funny on mine.

I heard from another partner about customer using CME that got hit, so that got me thinking about it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents