05-21-2014 06:31 AM - edited 03-16-2019 10:51 PM
Hi
Is it possible for someone to make calls via cme running on ios v12.4 using E1 PRI connection?
May 13 2014 15:39:36 00:15:07 00881842011129 1
May 13 2014 15:50:36 00:05:35 00881842011146
As log above shows, call was made but cant tell who made the call internally???
May 13 2014 16:28:43 00:00:26 00881842011146 2
May 13 2014 16:29:13 00:00:27 00881842011129 2
The other log shows originating call as external number but no destination.
2014-05-13 15:54:01 Local7.Notice 172.23.100.1 97068: 097064: *May 13 15:53:36.831 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:53:03.978,cgn:213,cdn:230,frs:0,fid:65343,fcid:BCC8122FD9DC11E39449EEC1BC9630B,legID:82FC,bguid:BCC8122FD9DC11E39449EEC10BC9630B
2014-05-13 15:55:07 Local7.Info 172.23.100.1 97069: 097065: *May 13 15:54:43.295 GMT: %ISDN-6-DISCONNECT: Interface Serial0/3/0:29 disconnected from 00881842011129 , call lasted 900 seconds
2014-05-13 15:50:24 Local7.Notice 172.23.100.1 97062: 097058: *May 13 15:49:59.860 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:49:48.388,cgn:,cdn:6800,frs:0,fid:65338,fcid:48834FCED9DC11E38BE100229032E5E0,legID:82F7,bguid:48834FCED9DC11E38BE100229032E5E0
2014-05-13 15:50:48 Local7.Info 172.23.100.1 97063: 097059: *May 13 15:50:23.360 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:19 is now connected to N/A N/A
2014-05-13 15:51:08 Local7.Info 172.23.100.1 97064: 097060: *May 13 15:50:43.041 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:30 is now connected to 00881842011146 N/A
The above logs are from syslog.
From firewall side, all SIP, H323 ports are blocked.
Thanks
Solved! Go to Solution.
05-21-2014 07:06 PM
I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.
Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information
http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf
Where the spoofing was occurring the way I was able to stop this by doing the following:
- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)
- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range only, any other destination or null you can reject the call.
05-21-2014 07:27 AM
What FW are you using? How did you blocked SIP?
Also if you don't use SIP at all - is SIP service "shut down"? What does output of "show sip-ua service" says?
I think that you are not hacked throw E1 - I think that someone made call throw your system (probably with SIP connection) and get out throw E1...again IMHO...
BR,
Dragan
05-22-2014 12:09 AM
Thanks Dragan. The service is showing that it is shut down.
05-21-2014 07:06 PM
I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.
Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information
http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf
Where the spoofing was occurring the way I was able to stop this by doing the following:
- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)
- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range only, any other destination or null you can reject the call.
05-22-2014 12:08 AM
Thanks Heathrw. I will try your suggestions and see. as for the q931 debug, should I let this run for the whole night and send to syslog?
05-22-2014 12:12 AM
Depends on how often the calls are coming in since I don't know what other load is on your router just be certain you won't impact your users.
If you know when the calls/attempts are coming in during certain periods I would try and run it then.
05-22-2014 03:50 AM
Looks set after making those changes you suggested. Thanks for your help.
05-22-2014 04:27 AM
You are welcome, if there are no other questions you may mark this discussion as correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide