05-21-2014 06:31 AM - edited 03-16-2019 10:51 PM
Hi
Is it possible for someone to make calls via cme running on ios v12.4 using E1 PRI connection?
May 13 2014 15:39:36 00:15:07 00881842011129 1
May 13 2014 15:50:36 00:05:35 00881842011146
As log above shows, call was made but cant tell who made the call internally???
May 13 2014 16:28:43 00:00:26 00881842011146 2
May 13 2014 16:29:13 00:00:27 00881842011129 2
The other log shows originating call as external number but no destination.
2014-05-13 15:54:01 Local7.Notice 172.23.100.1 97068: 097064: *May 13 15:53:36.831 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:53:03.978,cgn:213,cdn:230,frs:0,fid:65343,fcid:BCC8122FD9DC11E39449EEC1BC9630B,legID:82FC,bguid:BCC8122FD9DC11E39449EEC10BC9630B
2014-05-13 15:55:07 Local7.Info 172.23.100.1 97069: 097065: *May 13 15:54:43.295 GMT: %ISDN-6-DISCONNECT: Interface Serial0/3/0:29 disconnected from 00881842011129 , call lasted 900 seconds
2014-05-13 15:50:24 Local7.Notice 172.23.100.1 97062: 097058: *May 13 15:49:59.860 GMT: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:05/13/2014 15:49:48.388,cgn:,cdn:6800,frs:0,fid:65338,fcid:48834FCED9DC11E38BE100229032E5E0,legID:82F7,bguid:48834FCED9DC11E38BE100229032E5E0
2014-05-13 15:50:48 Local7.Info 172.23.100.1 97063: 097059: *May 13 15:50:23.360 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:19 is now connected to N/A N/A
2014-05-13 15:51:08 Local7.Info 172.23.100.1 97064: 097060: *May 13 15:50:43.041 GMT: %ISDN-6-CONNECT: Interface Serial0/3/0:30 is now connected to 00881842011146 N/A
The above logs are from syslog.
From firewall side, all SIP, H323 ports are blocked.
Thanks
Solved! Go to Solution.
05-21-2014 07:06 PM
I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.
Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information
http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf
Where the spoofing was occurring the way I was able to stop this by doing the following:
- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)
- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range only, any other destination or null you can reject the call.
05-21-2014 07:27 AM
What FW are you using? How did you blocked SIP?
Also if you don't use SIP at all - is SIP service "shut down"? What does output of "show sip-ua service" says?
I think that you are not hacked throw E1 - I think that someone made call throw your system (probably with SIP connection) and get out throw E1...again IMHO...
BR,
Dragan
05-22-2014 12:09 AM
Thanks Dragan. The service is showing that it is shut down.
05-21-2014 07:06 PM
I have seen only one occurrence where numbers are spoofed via E1 this was in a different country to where I normally work as my country carriers block any spoofing attempts.
Send some of your Q931, dial-peer and ccapi inout debugs to your syslog server might give you more information
http://www.cisco.com/c/en/us/td/docs/ios/voice/monitor/configuration/guide/12_4/vt_12_4_book/vt_debug_cmd_gw.pdf
Where the spoofing was occurring the way I was able to stop this by doing the following:
- Make sure all my POTS dial peers were set to direct-in-dial (if applicable to the number range)
- Voice Translation profiles on the inbound dial peers (or port) to match destination for your organisation number range only, any other destination or null you can reject the call.
05-22-2014 12:08 AM
Thanks Heathrw. I will try your suggestions and see. as for the q931 debug, should I let this run for the whole night and send to syslog?
05-22-2014 12:12 AM
Depends on how often the calls are coming in since I don't know what other load is on your router just be certain you won't impact your users.
If you know when the calls/attempts are coming in during certain periods I would try and run it then.
05-22-2014 03:50 AM
Looks set after making those changes you suggested. Thanks for your help.
05-22-2014 04:27 AM
You are welcome, if there are no other questions you may mark this discussion as correct.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: