Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting calls to different dial-peers

By setting up sip, it seems that it lets anything that connects to it (registered or not, valid

user or not) make calls to any dial-peer. How do I go about making it so the sip endpoint

can only make a call is if it that sip endpoint registered with cucme? I'm running 4.1.

14 REPLIES
VIP Super Bronze

Restricting calls to different dial-peers

Your best bet is to upgrade your IOS to 15.1 (2)T and then implement toll fraud prevention with ip address trust list.

Details here..

http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a0080b3e123.shtml

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Restricting calls to different dial-peers

This seems decent, but what if I have sip endpoints coming from different networks with dynamic ip addresses?

VIP Super Bronze

Restricting calls to different dial-peers

The whole idea of Toll prevention is that you identify the devices that will be making calls of your infrastructure. If your deployment is such that you are unable to identify them, then I cant see any way you can enforce this. Even if you have devices with dynamic IPs, those ips must belong to a certain subnet/vlan etc. It is assumed that these devices are in your control hence you should be able to define a set of network addresses that are authorised to use your infrastructure.

So just configure all the subnet within your infrastructure and you should be good, I dont see any issue with that at all

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Restricting calls to different dial-peers

Let's say I have 5 endpoints. They're coming in through 5 different locations. Those ips change say, once every 24 hours, same subnet. Do I add those 5 different whole subnets, allowing anyone who happens to be using that same isp to make free phone calls through me if they happen to find my install?

I'm coming over from asterisk. In this setup, you had to be authenticated with the SIP proxy to be able to make outbound calls through this. Testing the security on my setup, I was able to load up X-Lite, put in a random extension number (doesn't exist in voice register dn), the CUCME ip and make a call with no effort.

For authenticated devices, I know how to use cor. For unauthenticated devices, I want a way to keep the call from going through. Perhaps there's a tcl script that could handle this? Something that would maintain an ACL/ip list of registered SIP endpoints.

VIP Super Bronze

Restricting calls to different dial-peers

If a phone registers to your CCME without them been configured, that suggests you have auto registration enabled. Why dont you disable auto-registration. Thats a good start, this way only devices that are manually configured will register. If an endpoint in not registered on your CCME, they cant make calls through it.

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Restricting calls to different dial-peers

I'm talking SIP here not SCCP. auto-registration only applies to SCCP phones afaik. It's also already turned off.

Like I said, I load up X-Lite, put in the CUCME ip, random extension number, turn off register, no password. Dial a number, it goes through. If I want to be able to allow SIP endpoints to connect remotely, without the need for VPN, I need to open up the SIP port to the WAN. If someone runs across my ip while looking for open SIP servers, they'll get free phone calls.

What I want is to allow the legitimate (authorised) people in, whilse keeping everyone else out.

VIP Super Bronze

Re: Restricting calls to different dial-peers

With SIP endpoints you can configure then to authenticate with authenticate register command e.g.

voice register global                    

mode cme 

source-address x.x.x.x port 5060

authenticate register

authneticate realm all

You will then need to configure each phone with a username and password as follows:

voice register pool 1
id mac x.x.x.x..xx.x..x

type 9951


number 1 dn 1

username cisco password cisco

! --- configure username and password for SIP registration

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Restricting calls to different dial-peers

That's already been set... here is an excert of my config:

!

! Last configuration change at 11:19:37 PDT Thu Jul 5 2012

! NVRAM config last updated at 11:19:38 PDT Thu Jul 5 2012

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec localtime

service password-encryption

!

boot-start-marker

boot system flash:c2600-adventerprisek9-mz.124-15.T14.bin

boot-end-marker

!

enable secret 5 #

enable password 7 #

!

aaa new-model

!

!

aaa authentication login default line

!

!

aaa session-id common

clock timezone PST -8

clock summer-time PDT recurring

clock save interval 8

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

no ip domain lookup

ip name-server 10.0.0.10

!

multilink bundle-name authenticated

!

voice service voip

allow-connections sip to sip

no supplementary-service sip refer

fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco

sip

  bind control source-interface FastEthernet0/0

  bind media source-interface FastEthernet0/0

  registrar server expires max 300 min 60

!

!

voice class codec 1

codec preference 1 g711alaw

codec preference 2 g711ulaw

codec preference 3 g729r8

video codec h264

!

voice register global

mode cme

source-address 10.0.0.5 port 5060

max-dn 10

max-pool 10

authenticate register

authenticate realm yourmom

date-format D/M/Y

mwi stutter

voicemail 1571

tftp-path flash:

create profile sync 002218297029116A

network-locale GB

ntp-server 10.0.0.10 mode directedbroadcast

!

voice register dn  1

number 2008

call-forward b2bua busy 1572 

call-forward b2bua mailbox 2006 

call-forward b2bua noan 1571 timeout 20

call-forward b2bua unreachable 1573

no-reg

mwi

!

voice register pool  1

id mac 0000.0000.0000

number 1 dn 1

emergency response location 1

presence call-list

dtmf-relay rtp-nte

username 2008 password #

codec g711alaw

no vad

!

voice emergency response location 1

elin 1 2096224625

!

!

call-history-mib retain-timer 500

call-history-mib max-size 500

dial-control-mib retain-timer 35791

dial-control-mib max-size 1200

archive

log config

  hidekeys

!

gw-accounting syslog

!

interface FastEthernet0/0

ip address 10.0.0.5 255.255.255.0

no ip route-cache cef

no ip route-cache

duplex auto

speed 100

!

ip default-gateway 10.0.0.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.1

!

!

ip http server

no ip http secure-server

ip http path flash:

!

logging 10.0.0.10

!

control-plane

!

!

dial-peer voice 101 voip

description Voicemail

preference 7

destination-pattern 157[1-4]

session protocol sipv2

session target ipv4:10.0.0.10

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 102 voip

description UK Directory Enquiries

translation-profile outgoing 1

destination-pattern 118...

session protocol sipv2

session target ipv4:10.0.0.10

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 201 voip

description Outbound Calls to Short UK Numbers

translation-profile outgoing 1

destination-pattern 0[1-9]........T

translate-outgoing calling 1

session protocol sipv2

session target sip-server

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 202 voip

description Outbound Calls to the UK

translation-profile outgoing 1

destination-pattern 0[1-9].........

session protocol sipv2

session target sip-server

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 301 voip

description Outbound Calls to the US

translation-profile outgoing 10

destination-pattern 001..........

session protocol sipv2

session target sip-server

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 401 voip

description Outbound Calls to the US

translation-profile outgoing 10

destination-pattern [2-9].........

session protocol sipv2

session target sip-server

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 403 voip

description Calls to the US with 1 infront

translation-profile outgoing 10

destination-pattern 1[2-9].........

session protocol sipv2

session target sip-server

dtmf-relay rtp-nte

codec g711alaw

!

dial-peer voice 903 voip

description Emergency Services

emergency response callback

emergency response zone

destination-pattern 911

session protocol sipv2

session target ipv4:10.0.0.10

codec g711alaw

!

dial-peer terminator A

sip-ua

credentials username # password # realm #

authentication username # password 7 #

no remote-party-id

retry invite 2

mwi-server ipv4:10.0.0.10 expires 3600 port 5060 transport udp unsolicited

registrar dns:.net:5060 expires 300

sip-server dns:.net

connection-reuse

permit hostname dns:voiptalk.org

permit hostname dns:.net

!

telephony-service

video

no auto-reg-ephone

load 7960-7940 P00308000500

load 7920 cmterm_7920.4.0-03-02

max-ephones 10

max-dn 20

ip source-address 10.0.0.5 port 2000 strict-match

timeouts interdigit 2

url services http://10.0.0.10/cisco/services/

network-locale GB

time-zone 5

time-format 24

date-format dd-mm-yy

voicemail 1571

mwi relay

max-conferences 4 gain -6

moh flash:moh.au

web admin system name # password #

dn-webedit

time-webedit

transfer-system full-consult

transfer-pattern 001.........

transfer-pattern T

create cnf-files version-stamp 7960 Jul 05 2012 07:05:17

!

!

ephone-dn  1

ring internal primary

number 2001 no-reg primary

label 2001

name Holbrook Bunting

preference 1

call-forward busy 1572

call-forward noan 1571 timeout 18

mwi-type both

hold-alert 60 idle

!

!

line con 0

password 7 #

line aux 0

password 7 #

line vty 0 4

password 7 #

!

ntp clock-period 17180381

ntp server 10.0.0.10

!

end

VIP Super Bronze

Restricting calls to different dial-peers

Whats the mac address of the x-lite?

Can you do a debug tftp events and a debug ccsip messages. Pls put the output in a text file and attach  here.

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Restricting calls to different dial-peers

I'm not authenticating against mac. Not doing anything with tftp. I put in the user: 100, password: random,

there is no voice register pool for '100'. This is me, using x-lite as 100 to call voicemail at 1571 in ccsip debug:

Also, X-Lite is set to not try to authenticate to the server, it is only sending an invite as shown below.

Received:

INVITE sip:1571@10.0.0.5 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-66a0eb138318a27e-1---d8754z-;rport

Max-Forwards: 70

Contact: <100>

To: <1571>

From: "Holbrook Bunting"<100>;tag=84161d22

Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.

CSeq: 1 INVITE

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO

Content-Type: application/sdp

Supported: replaces

User-Agent: X-Lite 4 release 4.1 stamp 63215

Content-Length: 368

v=0

o=- 1341514242917947 1 IN IP4 10.0.0.112

s=CounterPath X-Lite 4.1

c=IN IP4 10.0.0.112

t=0 0

a=ice-ufrag:764d30

a=ice-pwd:86a38c0354a795fdbd44d2ba728664e3

m=audio 54432 RTP/AVP 0 8 101

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-15

a=sendrecv

a=candidate:1 1 UDP 659136 10.0.0.112 54432 typ host

a=candidate:1 2 UDP 659134 10.0.0.112 54433 typ host

Jul  5 18:50:42.977: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 100 Trying

Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-66a0eb138318a27e-1---d8754z-;rport

From: "Holbrook Bunting"<100>;tag=84161d22

To: <1571>

Date: Thu, 05 Jul 2012 18:50:42 GMT

Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.

CSeq: 1 INVITE

Allow-Events: telephone-event

Server: Cisco-SIPGateway/IOS-12.x

Content-Length: 0

Jul  5 18:50:43.009: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

INVITE sip:1571@10.0.0.10:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15B1EC5

From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808

To: <1571>

Date: Thu, 05 Jul 2012 18:50:43 GMT

Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5

Supported: 100rel,timer,resource-priority,replaces

Min-SE:  1800

Cisco-Guid: 674579218-3322483169-2191628517-341066522

User-Agent: Cisco-SIPGateway/IOS-12.x

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

CSeq: 101 INVITE

Timestamp: 1341514243

Contact: <100>

Expires: 180

Allow-Events: telephone-event

Max-Forwards: 69

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 259

v=0

o=CiscoSystemsSIP-GW-UserAgent 5217 9966 IN IP4 10.0.0.5

s=SIP Call

c=IN IP4 10.0.0.5

t=0 0

m=audio 19542 RTP/AVP 8 101 19

c=IN IP4 10.0.0.5

a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-15

a=rtpmap:19 CN/8000

a=ptime:20

Jul  5 18:50:43.029: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 100 Trying

Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15B1EC5;received=10.0.0.5;rport=5060

From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808

To: <1571>

Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5

CSeq: 101 INVITE

Server: Asterisk PBX 1.8.14.0-rc1

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Contact: <1571>

Content-Length: 0

Jul  5 18:50:43.037: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15B1EC5;received=10.0.0.5;rport=5060

From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808

To: <1571>;tag=as76eb1181

Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5

CSeq: 101 INVITE

Server: Asterisk PBX 1.8.14.0-rc1

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Contact: <1571>

Content-Type: application/sdp

Content-Length: 260

v=0

o=root 951921662 951921662 IN IP4 10.0.0.10

s=Asterisk PBX 1.8.14.0-rc1

c=IN IP4 10.0.0.10

t=0 0

m=audio 10380 RTP/AVP 8 101

a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=silenceSupp:off - - - -

a=ptime:20

a=sendrecv

Jul  5 18:50:43.057: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

ACK sip:1571@10.0.0.10:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15C796

From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808

To: <1571>;tag=as76eb1181

Date: Thu, 05 Jul 2012 18:50:43 GMT

Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5

Max-Forwards: 70

CSeq: 101 ACK

Allow-Events: telephone-event

Content-Length: 0

Jul  5 18:50:43.081: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-66a0eb138318a27e-1---d8754z-;rport

From: "Holbrook Bunting"<100>;tag=84161d22

To: <1571>;tag=3AFEE74-E5D

Date: Thu, 05 Jul 2012 18:50:42 GMT

Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.

CSeq: 1 INVITE

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

Allow-Events: telephone-event

Contact: <1571>

Supported: replaces

Server: Cisco-SIPGateway/IOS-12.x

Content-Type: application/sdp

Content-Disposition: session;handling=required

Content-Length: 262

v=0

o=CiscoSystemsSIP-GW-UserAgent 2921 9932 IN IP4 10.0.0.5

s=SIP Call

c=IN IP4 10.0.0.5

t=0 0

m=audio 18942 RTP/AVP 8 101

c=IN IP4 10.0.0.5

a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=ptime:20

a=silenceSupp:off - - - -

Jul  5 18:50:43.097: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

ACK sip:1571@10.0.0.5:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-c4d913069f90f573-1---d8754z-;rport

Max-Forwards: 70

Contact: <100>

To: <1571>;tag=3AFEE74-E5D

From: "Holbrook Bunting"<100>;tag=84161d22

Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.

CSeq: 1 ACK

User-Agent: X-Lite 4 release 4.1 stamp 63215

Content-Length: 0

Jul  5 18:50:44.557: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

BYE sip:1571@10.0.0.5:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-fbcb1966311d4207-1---d8754z-;rport

Max-Forwards: 70

Contact: <100>

To: <1571>;tag=3AFEE74-E5D

From: "Holbrook Bunting"<100>;tag=84161d22

Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.

CSeq: 2 BYE

User-Agent: X-Lite 4 release 4.1 stamp 63215

Content-Length: 0

Jul  5 11:50:44.573: %VOIPAAA-5-VOIP_CALL_HISTORY: CallLegType 2, ConnectionId 28354312C60911E182A198E51454431A, SetupTime 11:50:42.963 PDT Thu Jul 5 2012, PeerAddress 100, PeerSubAddress , DisconnectCause 10  , DisconnectText normal call clearing (16), ConnectTime 11:50:43.073 PDT Thu Jul 5 2012, DisconnectTime 11:50:44.573 PDT Thu Jul 5 2012, CallOrigin 2, ChargedUnits 0, InfoType 2, TransmitPackets 73, TransmitBytes 11680, ReceivePackets 60, ReceiveBytes 9600

Jul  5 11:50:44.577: %VOIPAAA-5-VOIP_FEAT_HISTORY: FEAT_VSA=fn:TWC,ft:07/05/2012 11:50:42.965,cgn:100,cdn:1571,frs:0,fid:129,fcid:28354312C60911E182A198E51454431A,legID:296,bguid:28354312C60911E182A198E51454431A

Jul  5 18:50:44.585: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent: 

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.0.0.112:29378;branch=z9hG4bK-d8754z-fbcb1966311d4207-1---d8754z-;rport

From: "Holbrook Bunting"<100>;tag=84161d22

To: <1571>;tag=3AFEE74-E5D

Date: Thu, 05 Jul 2012 18:50:44 GMT

Call-ID: MzgxMzg5MDIzN2Y3ZWYyNTBkYTQ4NDVkZTk3NzQ0NDA.

Server: Cisco-SIPGateway/IOS-12.x

CSeq: 2 BYE

Reason: Q.850;cause=16

Content-Length: 0

Jul  5 18:50:44.589: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Sent:

BYE sip:1571@10.0.0.10:5060 SIP/2.0

Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15D301

From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808

To: <1571>;tag=as76eb1181

Date: Thu, 05 Jul 2012 18:50:43 GMT

Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5

User-Agent: Cisco-SIPGateway/IOS-12.x

Max-Forwards: 70

Timestamp: 1341514244

CSeq: 102 BYE

Reason: Q.850;cause=16

Content-Length: 0

Jul  5 18:50:44.601: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.0.0.5:5060;branch=z9hG4bK15D301;received=10.0.0.5;rport=5060

From: "Holbrook Bunting" <>100@sip.didlogic.net>;tag=3AFEE2C-808

To: <1571>;tag=as76eb1181

Call-ID: 283DCE72-C60911E1-82A698E5-1454431A@10.0.0.5

CSeq: 102 BYE

Server: Asterisk PBX 1.8.14.0-rc1

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH

Supported: replaces, timer

Content-Length: 0

VIP Super Bronze

Restricting calls to different dial-peers

Well, are you saying that this x-lite phone is not registered to your ccme? I only asked for mac because the the authentication credential is defined on the phone and the phone is identified by the mac.  All the while i assume the phome is registered. If the phone is  not registered then afaik the only way to prevent this is to use ip address trust list as I mentioned earlier

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
New Member

Re: Restricting calls to different dial-peers

Hi,

the configuration area you should be looking at is called "Class of Restriction" or COR.

The COR implements a lock/key model where phone and dial-peers are given keys/locks definitions (essentially matching outgoing/incoming COR identifier).

I found the most understandable description of this in the (Cisco Press) book: "Cisco Voice Gateways and Gatekeepers" - Chapter 12.

This provides a much clearer description of how COR works that the ios example on Cisco site.... which are very hard to follow.

I am currently trying to solve a simillar problem via COR, so cannot provide definitive answer, but believe this the right place to start digging.

Cheers,

John.

New Member

Re: Restricting calls to different dial-peers

Hi John,

Thanks for the suggestion. I fiddled around a little with COR earlier, only placing one on the voicemail

extension and seeing what happened. From my observation, it looks like COR only works when it is

applied to a phone/dn. When there is no COR on one, it has unlimited access.

This is kind of an irony, that Cisco would develop a system like COR and ip restrictions, but leave such

a big hole. You go to the trouble of placing COR's in place, Employee John can't call India, but alas (as

long as SIP is running and he gets the CUCME ip from his phone), he loads up a SIP soft client onto

his workstation and presto, he can call India (so long as the dial-peer exists matching the dial patterm).

VIP Super Bronze

Restricting calls to different dial-peers

I have done a few research on this and I also found out that with SIP endpoints, the IP address trust authenticate I mentioned is ignored. So that is not even an option. The only other option is to use ACL.

ip extended access-list PREVENT_TOLL_FRAUD

permit tcp host (trusted_remote_ip/phone subnet) host (my_rtr_loopback_ip/ccme ip) eq 5060

Then apply it to your interface

interface

ip access-group PREVENT_TOLL_FRAUD in

Please rate all useful posts

"There is a wideness in God's mercy Like the wideness of the sea.There's a kindness in His justice Which is more than liberty"

Please rate all useful posts "The essence of christianity is not the enthronement but the obliteration of self --William Barclay"
816
Views
0
Helpful
14
Replies
CreatePlease to create content