Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

default sip with 12.4(13r)T

Hello all,

i use router 2811 with cm express for isdn dialing to pstn. my isp inform me that i have high voice traffic to some countries in asia and africa. i debuged it - all calls were over sip, which was enable on public interface in the default sip cfg (i didnt see anything about enable sip in the startup-config). now i disable tcp/udp sip transport, everything is ok but can you explain me what is possible or where is problem ?

thank you.


my hw:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T7, RELEASE SOFTWARE (fc3) - c2800nm-advipservicesk9-mz.124-9.T7.bin"

sh sip-ua calls


Number of SIP User Agent Client(UAC) calls: 0


Call 1

SIP Call ID :

State of the call : STATE_RECD_INVITE (11)

Substate of the call : SUBSTATE_NONE (0)

Calling Number : 1111

Called Number : 9009595036838

Bit Flags : 0x40401E 0x100 0x404

CC Call ID : 39669

Source IP Address (Sig ): my ip

Destn SIP Req Addr:Port : unknown ip:5060

Destn SIP Resp Addr:Port: unknown ip:5060

Destination Name : unknown ip

Number of Media Streams : 1

Number of Active Streams: 1

RTP Fork Object : 0x0

Media Mode : flow-through

Media Stream 1

State of the stream : STREAM_ACTIVE

Stream Call ID : 39669

Stream Type : voice+dtmf (1)

Negotiated Codec : g723r63 (24 bytes)

Codec Payload Type : 4

Negotiated Dtmf-relay : rtp-nte

Dtmf-relay Payload Type : 101

Media Source IP Addr:Port: my ip:17172

Media Dest IP Addr:Port : unknown ip:19056

Orig Media Dest IP Addr:Port :


Re: default sip with 12.4(13r)T


Check this info

Basicly SIP, H.323 and MGCP ports stay open no matter if you have configured/enabled any of these services and any one can connect to the router on port 5060 (for example) and if he guesses the righ pattern to go out through your pots dial-peers you'll get a quite nice bill from your telco ;)

So deny any ports that these protocols use if you have ISDN and internet on the same router. Permit them only from trusted hosts if that is possible and always put the sip no transport tcp/udp if you dont use SIP.

Use show tcp all brief and show ip sockets (if available in your IOS) to see on what ports your router is listening.

One of our clients said goodbuy to a couple of thousand dollars the day before this advisory was posted.



New Member

Re: default sip with 12.4(13r)T

Hi Stoyan,

thank you for info. i read your advisory link but if i understand (there are many info about device crash) main reason of my problem could be this " can potentially lead to remote code execution" ? if yes, do you have any sample code please ?


Re: default sip with 12.4(13r)T

As I told you, your router listens on these ports and it is possible that some one can remotely "execute code" on them, i.e. send call-setup signalization and eventually make a call. This does not meen that the have accessed the router.