Unanswered Question
Aug 22nd, 2010

Customer has a PRI with 12 channels. When originally setup, ISP said they would be sending four digits. Could not get it to work. Called Cisco Small business support and noticed that they were actually sending 8 digits. Ex phone number is 888-8888. ISP is sending 10108888.

We modified config to get it to work. However, after one month customer received a bill for $2000 for calls to Cuba.Obviously toll fraud.

ISP accused UC540 of not being secure.

My question is this:

Can there Cisco device that is handing off PRI be the weak link in toll fraud since they are sending 1010xxxx?

I will post config if needed, but wanted to see if they could be to blame?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven Holl Mon, 08/23/2010 - 07:17

Securing a gateway from untrusted call sources is no different from securing a router from  untrusted traffic.  Your router is likely allowing SIP or H323 traffic  in an interface with a public interface, and it shouldn't be.  Keep in  mind that if you have CUE, you are running a SIP listener on the box,  and SIP will listen on all interfaces unless you configure a bind.  H323  will always listen on all interfaces, regardless of bind.  You should  always only allow TCP/1720 and TCP/UDP/5060 from known trusted sources  on any WAN interface with a public IP.

Also, this behavior is improved starting with 15.1(2)T to prevent toll fraud scenarios out-of-the-box:


Paolo Bevilacqua Mon, 08/23/2010 - 13:34

Keep in  mind that if you have CUE, you are running a SIP listener on the box.

Nitpick: even if you don't have CUE.

Steven Holl Mon, 08/23/2010 - 13:42

Right.  Anytime you have a SIP dial-peer, SIP listener is enabled.  Anytime you have an h323 dial-peer H323 listener is enabled.  Exceptions to this are that the listeners are both on by default for all code with a voice feature set, when running a release before this fix:

unnecessary tcp ports opened in default router config