Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Securing CME on public IP

Hi experts!

I am struggling with securing a CME that has (and needs to have) a public facing IP without any ACLs. The problem is that external SIP clients seem to be able to dial in and right back out again. I was hoping my translation-profile would stop this but it skips the reject rules for some reason;

072804: Feb 21 08:55:28.315 CET:  //-1/5D0EB475B133/RXRULE/regxrule_match: Skipping a call block rule;  number=002972599979917 rule precedence=5

072805: Feb 21 08:55:28.315 CET:  //-1/5D0EB475B133/RXRULE/regxrule_match: Skipping a call block rule;  number=002972599979917 rule precedence=10

For now I have solved the issue by setting max-conn 1, hardly a good solution but it stops them for now. Any ideas why the rejects are skipped / other ways to do this? Basically what I would want is a rule that drops all incoming calls that are NOT dialed TO 2001/2002.

Relevant config:

voice translation-rule 1

rule 1 /2002/ /2001/

rule 2 reject /^$/

rule 5 reject /.*/

rule 10 reject //

!

voice translation-profile to7925

translate called 1

!

dial-peer voice 10 voip

description **Outgoing/incoming Call to SIP Trunk**

translation-profile incoming to7925

huntstop

max-conn 1

destination-pattern .T

session protocol sipv2

session target sip-server

incoming called-number .T

voice-class codec 1 

voice-class sip dtmf-relay force rtp-nte

dtmf-relay rtp-nte

ip qos dscp ef signaling

no vad

!

Debug of someone 'almost' dialing out.

Received:

INVITE sip:002972599979917@193.150.32.94 SIP/2.0

To: 002972599979917<sip:002972599979917@193.150.32.94>

From: 1111<sip:1111@193.150.32.94>;tag=620e6ab0

Via: SIP/2.0/UDP 188.165.249.72:5071;branch=z9hG4bK-d7b1fe31272c9f6b938545f32272feae;rport

Call-ID: d7b1fe31272c9f6b938545f32272feae

CSeq: 1 INVITE

Contact: <sip:1111@188.165.249.72:5071>

Max-Forwards: 70

Allow: INVITE, ACK, CANCEL, BYE

User-Agent: sipcli/v1.8

Content-Type: application/sdp

Content-Length: 284

v=0

o=sipcli-Session 1308866512 612268699 IN IP4 188.165.249.72

s=sipcli

c=IN IP4 188.165.249.72

t=0 0

m=audio 5074 RTP/AVP 18 0 8 101

a=fmtp:101 0-15

a=rtpmap:18 G729/8000

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

072721: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Calling Number=002972599979917, Called Number=002972599979917, Peer Info Type=DIALPEER_INFO_SPEECH

072722: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Match Rule=DP_MATCH_DEST; Called Number=002972599979917

072723: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=002972599979917T

   Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH

072724: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Outgoing Dial-peer=10 Is Matched

072725: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Result=Success(0) after DP_MATCH_DEST

072726: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=002972599979917, saf_enabled=1, saf_dndb_lookup=1, dp_result=0

072727: Feb 21 08:55:28.303 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersMoreArg:

   Result=SUCCESS(0)

   List of Matched Outgoing Dial-peer(s):

     1: Dial-peer Tag=10

072728: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Calling Number=1111, Called Number=, Voice-Interface=0x0,

   Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,

   Peer Info Type=DIALPEER_INFO_SPEECH

072729: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ANSWER; Calling Number=1111

072730: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072731: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=1111T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072732: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Result=-1

072733: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072734: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ORIGINATE; Calling Number=1111

072735: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072736: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=1111T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072737: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Incoming Dial-peer=10 Is Matched

072738: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072739: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Result=Success(0) after DP_MATCH_ORIGINATE; Incoming Dial-peer=10

072740: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0

072741: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeer:exit@6708

072742: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Calling Number=1111, Called Number=, Voice-Interface=0x0,

   Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,

   Peer Info Type=DIALPEER_INFO_SPEECH

072743: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ANSWER; Calling Number=1111

072744: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072745: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=1111T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072746: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Result=-1

072747: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072748: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ORIGINATE; Calling Number=1111

072749: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072750: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=1111T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072751: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Incoming Dial-peer=10 Is Matched

072752: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072753: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Result=Success(0) after DP_MATCH_ORIGINATE; Incoming Dial-peer=10

072754: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0

072755: Feb 21 08:55:28.307 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeer:exit@6708

072756: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Calling Number=1111, Called Number=002972599979917, Voice-Interface=0x0,

   Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,

   Peer Info Type=DIALPEER_INFO_SPEECH

072757: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_VIA_URI; URI=sip:188.165.249.72:5071

072758: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072759: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072760: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Result=-1

072761: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:exit@6080

072762: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_REQUEST_URI; URI=sip:002972599979917@193.150.32.94

072763: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072764: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072765: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Result=-1

072766: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:exit@6080

072767: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_TO_URI; URI=sip:002972599979917@193.150.32.94

072768: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072769: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072770: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Result=-1

072771: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:exit@6080

072772: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_FROM_URI; URI=sip:1111@193.150.32.94

072773: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072774: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072775: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Result=-1

072776: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:exit@6080

072777: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_INCOMING_DNIS; Called Number=002972599979917

072778: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072779: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072780: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/MatchNextPeer:

   Result=Success(0); Incoming Dial-peer=10 Is Matched

072781: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchPeertype:exit@6080

072782: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerCore:

   Result=Success(0) after DP_MATCH_INCOMING_DNIS; Incoming Dial-peer=10

072783: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpMatchSafModulePlugin:

   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0

072784: Feb 21 08:55:28.307 CET: //-1/5D0EB475B133/DPM/dpAssociateIncomingPeerSPI:exit@6659

072785: Feb 21 08:55:28.311 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLMain: Event: E_STSL_SESSION_REFRESH_REQ

072786: Feb 21 08:55:28.311 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLMain: dir:2, method:102, resp_code:0, container:8F30F23C

072787: Feb 21 08:55:28.311 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLPrintTDContainer: Peer-Event: E_STSL_LEG_BY_LEG, SE Value:0, SE Refresher:none, Min-SE Value:1800, flags:2000

072788: Feb 21 08:55:28.311 CET: //-1/5D0EB475B133/RXRULE/regxrule_stack_pop_RegXruleNumInfo: stack=0x8F30D78C; count=1

072789: Feb 21 08:55:28.311 CET: //-1/5D0EB475B133/RXRULE/regxrule_stack_pop_callinfo_internal: numinfo=0x8F574050

072790: Feb 21 08:55:28.311 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLMain: Event: E_STSL_SESSION_REFRESH_RESP

072791: Feb 21 08:55:28.311 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLMain: dir:1, method:102, resp_code:100, container:8F3113EC

072792: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_stack_push_RegXruleNumInfo_internal: stack=0x8F30D78C; count=1

072793: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_translate_internal: number=1111 type=unknown plan=unknown numbertype=calling

072794: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_get_RegXrule: Invalid translation ruleset tag=0

072795: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_match_internal: Error: ruleset for calling number not found

072796: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_translate_internal: No match: number=1111 type=unknown plan=unknown

072797: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_translate_internal: number= type=unknown plan=unknown numbertype=redirect-called

072798: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_get_RegXrule: Invalid translation ruleset tag=0

072799: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_match_internal: Error: ruleset for redirect-called number not found

072800: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_translate_internal: No match: number= type=unknown plan=unknown

072801: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_translate_internal: number=002972599979917 type=unknown plan=unknown numbertype=called

072802: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_match: No match; number=002972599979917 rule precedence=1

072803: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_match: No match; number=002972599979917 rule precedence=2

072804: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_match: Skipping a call block rule; number=002972599979917 rule precedence=5

072805: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_match: Skipping a call block rule; number=002972599979917 rule precedence=10

072806: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_match_internal: No match found

072807: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/RXRULE/regxrule_profile_translate_internal: No match: number=002972599979917 type=unknown plan=unknown

072808: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/SIP/Event/sipSPIEventInfo: Queued event from SIP SPI : SIPSPI_EV_CC_CALL_PROCEEDING

072809: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Calling Number=, Called Number=002972599979917, Peer Info Type=DIALPEER_INFO_SPEECH

072810: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Match Rule=DP_MATCH_DEST; Called Number=002972599979917

072811: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=

   Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH

072812: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/MatchNextPeer:

   Result=Success(0); Outgoing Dial-peer=10 Is Matched

072813: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Result=Success(0) after DP_MATCH_DEST

072814: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchSafModulePlugin:

   dialstring=002972599979917, saf_enabled=0, saf_dndb_lookup=1, dp_result=0

072815: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersMoreArg:

   Result=SUCCESS(0)

   List of Matched Outgoing Dial-peer(s):

     1: Dial-peer Tag=10

072816: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Calling Number=, Called Number=002972599979917, Peer Info Type=DIALPEER_INFO_SPEECH

072817: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Match Rule=DP_MATCH_DEST; Called Number=002972599979917

072818: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=

   Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH

072819: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/MatchNextPeer:

   Result=Success(0); Outgoing Dial-peer=10 Is Matched

072820: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Result=Success(0) after DP_MATCH_DEST

072821: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchSafModulePlugin:

   dialstring=002972599979917, saf_enabled=0, saf_dndb_lookup=1, dp_result=0

072822: Feb 21 08:55:28.315 CET: //-1/5D0EB475B133/DPM/dpMatchPeersMoreArg:

   Result=SUCCESS(0)

   List of Matched Outgoing Dial-peer(s):

     1: Dial-peer Tag=10

072823: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Calling Number=002972599979917, Called Number=002972599979917, Peer Info Type=DIALPEER_INFO_SPEECH

072824: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Match Rule=DP_MATCH_DEST; Called Number=002972599979917

072825: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=002972599979917T

   Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH

072826: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Outgoing Dial-peer=10 Is Matched

072827: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Result=Success(0) after DP_MATCH_DEST

072828: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=002972599979917, saf_enabled=0, saf_dndb_lookup=1, dp_result=0

072829: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersMoreArg:

   Result=SUCCESS(0)

   List of Matched Outgoing Dial-peer(s):

     1: Dial-peer Tag=10

072830: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Calling Number=002972599979917, Called Number=, Voice-Interface=0x0,

   Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,

   Peer Info Type=DIALPEER_INFO_SPEECH

072831: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ANSWER; Calling Number=002972599979917

072832: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072833: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=002972599979917T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072834: Feb 21 08:55:28.315 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Result=-1

072835: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072836: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ORIGINATE; Calling Number=002972599979917

072837: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072838: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=002972599979917T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072839: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Incoming Dial-peer=10 Is Matched

072840: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072841: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Result=Success(0) after DP_MATCH_ORIGINATE; Incoming Dial-peer=10

072842: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0

072843: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeer:exit@6708

072844: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Calling Number=002972599979917, Called Number=, Voice-Interface=0x0,

   Timeout=TRUE, Peer Encap Type=ENCAP_VOIP, Peer Search Type=PEER_TYPE_VOICE,

   Peer Info Type=DIALPEER_INFO_SPEECH

072845: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ANSWER; Calling Number=002972599979917

072846: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072847: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=002972599979917T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072848: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Result=-1

072849: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072850: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Match Rule=DP_MATCH_ORIGINATE; Calling Number=002972599979917

072851: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:

   Is Incoming=TRUE, Number Expansion=FALSE

072852: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=, Expanded String=, Calling Number=002972599979917T

   Timeout=TRUE, Is Incoming=TRUE, Peer Info Type=DIALPEER_INFO_SPEECH

072853: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Incoming Dial-peer=10 Is Matched

072854: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeertype:exit@6080

072855: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeerCore:

   Result=Success(0) after DP_MATCH_ORIGINATE; Incoming Dial-peer=10

072856: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=NULL, saf_enabled=0, saf_dndb_lookup=0, dp_result=0

072857: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpAssociateIncomingPeer:exit@6708

072858: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Calling Number=, Called Number=002972599979917, Peer Info Type=DIALPEER_INFO_SPEECH

072859: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Match Rule=DP_MATCH_DEST; Called Number=002972599979917

072860: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=

   Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH

072861: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/MatchNextPeer:

   Result=Success(0); Outgoing Dial-peer=10 Is Matched

072862: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersCore:

   Result=Success(0) after DP_MATCH_DEST

072863: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchSafModulePlugin:

   dialstring=002972599979917, saf_enabled=0, saf_dndb_lookup=1, dp_result=0

072864: Feb 21 08:55:28.319 CET: //-1/xxxxxxxxxxxx/DPM/dpMatchPeersMoreArg:

   Result=SUCCESS(0)

   List of Matched Outgoing Dial-peer(s):

     1: Dial-peer Tag=10

072865: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Calling Number=, Called Number=002972599979917, Peer Info Type=DIALPEER_INFO_SPEECH

072866: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Match Rule=DP_MATCH_DEST; Called Number=002972599979917

072867: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/dpMatchCore:

   Dial String=002972599979917, Expanded String=002972599979917, Calling Number=

   Timeout=TRUE, Is Incoming=FALSE, Peer Info Type=DIALPEER_INFO_SPEECH

072868: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/MatchNextPeer:

   Result=Success(0); Outgoing Dial-peer=10 Is Matched

072869: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/dpMatchPeersCore:

   Result=Success(0) after DP_MATCH_DEST

072870: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/dpMatchSafModulePlugin:

   dialstring=002972599979917, saf_enabled=1, saf_dndb_lookup=1, dp_result=0

072871: Feb 21 08:55:28.319 CET: //-1/5D0EB475B133/DPM/dpMatchPeersMoreArg:

   Result=SUCCESS(0)

   List of Matched Outgoing Dial-peer(s):

     1: Dial-peer Tag=10

072872: Feb 21 08:55:28.319 CET: %CALL_CONTROL-6-MAX_CONNECTIONS: Maximum number of connections reached for dial-peer 10

072873: Feb 21 08:55:28.319 CET: %VOICE_IEC-3-GW: CCAPI: Internal Error (Dial-peer connections exceeded): IEC=1.1.181.1.21.0 on callID 11130 GUID=5D0EB4759A0411E3B133CA4C5AF21A6F

072874: Feb 21 08:55:28.323 CET: //-1/xxxxxxxxxxxx/SIP/Event/sipSPIEventInfo: Queued event from SIP SPI : SIPSPI_EV_CC_CALL_DISCONNECT

072875: Feb 21 08:55:28.323 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLMain: Event: E_STSL_SESSION_REFRESH_RESP

072876: Feb 21 08:55:28.323 CET: //11130/5D0EB475B133/SIP/Event/Session-Timer/sipSTSLMain: dir:1, method:102, resp_code:500, container:8F30EAAC

072877: Feb 21 08:55:28.323 CET: //11130/5D0EB475B133/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 100 Trying

Via: SIP/2.0/UDP 188.165.249.72:5071;branch=z9hG4bK-d7b1fe31272c9f6b938545f32272feae;rport

From: 1111<sip:1111@193.150.32.94>;tag=620e6ab0

To: 002972599979917<sip:002972599979917@193.150.32.94>

Date: Fri, 21 Feb 2014 07:55:28 GMT

Call-ID: d7b1fe31272c9f6b938545f32272feae

CSeq: 1 INVITE

Allow-Events: telephone-event

Server: Cisco-SIPGateway/IOS-15.3.2.T1

Content-Length: 0

072878: Feb 21 08:55:28.323 CET: //11130/5D0EB475B133/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 500 Internal Server Error

Via: SIP/2.0/UDP 188.165.249.72:5071;branch=z9hG4bK-d7b1fe31272c9f6b938545f32272feae;rport

From: 1111<sip:1111@193.150.32.94>;tag=620e6ab0

To: 002972599979917<sip:002972599979917@193.150.32.94>;tag=CA5471C-EF1

Date: Fri, 21 Feb 2014 07:55:28 GMT

Call-ID: d7b1fe31272c9f6b938545f32272feae

CSeq: 1 INVITE

Allow-Events: telephone-event

Warning: 399 193.150.32.94 "Maximum Number of Connections reached"

Server: Cisco-SIPGateway/IOS-15.3.2.T1

Reason: Q.850;cause=44

Content-Length: 0

11 REPLIES
Silver

Securing CME on public IP

Why don't you configure "ip trusted list" under "voice service voip" configuration? Is that going to help you?

HTH,
Dragan

HTH, Dragan
New Member

Securing CME on public IP

Unfortunately I have SIP clients coming in from the outside on dynamic IPs. (another dial-peer with authentication that i omitted)

Silver

Securing CME on public IP

Could you post running config? Or maybe that specific dial-peer? Are thosw SIP client registered on your CME system?

HTH,
Dragan

HTH, Dragan
New Member

Securing CME on public IP

Here you go, however it is shutdown until I am able to solve the security issue with dial-peer 10.

dial-peer voice 2 voip

description **Outgoing Call to SIP Trunk**

shutdown

destination-pattern T

session protocol sipv2

session target sip-server

voice-class codec 1 

voice-class sip dtmf-relay force rtp-nte

dtmf-relay rtp-nte

ip qos dscp ef signaling

no vad

authentication username xxxxxxxxx password 7 xxxxxxxxxxx

Silver

Securing CME on public IP

And SIP client which you must allow in - are they registered on your CME system?

I have problem to understand why can't you configure "ip trusted list" on your system

HTH,
Dragan

HTH, Dragan
New Member

Securing CME on public IP

No they are not registered, however they need to be able to place outgoing calls every now and then. (with the help of username & password).

Silver

Securing CME on public IP

Can you show me a path how those, external or whatever, SIP clients are using your CME system? They come in throw your existing SIP trunk or something else? What exactly is your scenario?

You are using SIP trunk with some SIP provider for incoming/outgoing calls?

HTH,
Dragan

HTH, Dragan
New Member

Securing CME on public IP

This is kinda besides the point but sure:

Internal registered phones dial out through a SIP trunk via my SIP provider (phonzo) (via dial-peer 10)

External clients use my CME as SIP provider and should also dial out via phonzo.

However none of this is a problem. Everything works great. The issue at hand is stopping hackers from using dial-peer 10 to get free calls (without using access-lists or ip trusted list).

Silver

Securing CME on public IP

New Member

Securing CME on public IP

So what you are saying is that neither a translation-profile with reject or a call-block would be able to solve this? (only allow incoming calls on dial-peer 10 with destination 2001 or 2002)

Silver

Securing CME on public IP

It depends on SIP implementation...it could solve but I can't tell pretty sure because I don't know your environment.

You see - some SIP providers implementations require that for inbound calls you have TCL scripst on router and some not

My opinion is that you can achieve what you want with translations but can't help much without deep knowledge about your environment...

HTH,
Dragan

HTH, Dragan
187
Views
0
Helpful
11
Replies