01-30-2010 09:39 AM - edited 03-15-2019 09:15 PM
I set up a SIP-SIP gateway on a C2821, this C2821 routes all outbound calls from CUCM to an ITSP (both over SIP trunk), C2821 itself does
not act a CME, i.e, there are no SCCP or SIP clients registered to it, in fact I do not have any configuration that would allow a SCCP/SIP
phone to register/authenticate, however, I found that a software SIP phone that has IP connectivity to this C2821 can register to it with random username/direcotry number/password and therefore make outbound phone calls. I am puzzled, did I miss anything obvious?
Solved! Go to Solution.
01-30-2010 09:51 AM
Registering and making calls are two different things.
The phone probably is not registering, but yes it is normal that if you do not put an ACL on the interface, anyone on the interned will be able to toll-fraud yourself.
01-30-2010 10:10 AM
I would look at using ACLs to protect the solution from the network side. I would also look at implementing the security guidelines outlined in the following doc:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html
There is a way to restrict registration from phones (primarily SCCP).
With CME 4.x and later you can also enable Digest Authentication. I would think that using ACLs as the primary defence, configuring digest auth as a secondary, and then turning off/blocking/disabling other sub-features in CME would be the path you should look into.
Regards,
Bill
Please remember to rate helpful responses and identify
01-30-2010 09:51 AM
Registering and making calls are two different things.
The phone probably is not registering, but yes it is normal that if you do not put an ACL on the interface, anyone on the interned will be able to toll-fraud yourself.
01-30-2010 10:10 AM
I would look at using ACLs to protect the solution from the network side. I would also look at implementing the security guidelines outlined in the following doc:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html
There is a way to restrict registration from phones (primarily SCCP).
With CME 4.x and later you can also enable Digest Authentication. I would think that using ACLs as the primary defence, configuring digest auth as a secondary, and then turning off/blocking/disabling other sub-features in CME would be the path you should look into.
Regards,
Bill
Please remember to rate helpful responses and identify
01-30-2010 10:27 AM
Thank you both for the quick replies, I now understand where my problem was.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: