Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Gateway to Gatekeeper Security

We have an application where we have a gateway terminating voice traffic from various gateways. All these calls are setup by a gatekeeper. The gateways are all registering with the gatekeeper with AAA authentication. This works fine.

However, we found that a gateway NOT registered with the Gatekeeper can still terminate calls to the Terminating Gateway. This is bad.

Is there a way to get the Gateway to terminate calls only if they are setup by the Gatekeeper? Also, we do do not want to use IVR authentication for each call.

Thanks in Advance!

3 REPLIES
New Member

Re: Gateway to Gatekeeper Security

I think your only other option is to setup some access lists on the termination gateway. Of ocurse, that is not scalable, and might even be impossible to implement. This problem mainly exist in environments under the suprvision of a stateless gatekeeper such as cisco's. My compony makes a Gatekeper that can act as a statefull Gatekeeper as well, and it provides all the needed security. Drop me a mail at epatasse@nextone.com and i can send you more on stuff to look into.

Cisco Employee

Re: Gateway to Gatekeeper Security

Hi

You can accomplish this by implementing IZCT security. Although usually implemented for interzone calls, it also will work within a zone. A gateway that is not registered with the gatekeeper will not be able to send a call to a terminating gateway that is because the setup message will no have the required crypto token.

See:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122x/122xa/122xa_2/ft_ctoke.htm

for configuration guidelines.

It is quite simplel to implement.

New Member

Re: Gateway to Gatekeeper Security

You know, I tried, but could not get it to work. So i figured it only works with 2 or more gatekeepers. I am using ATA 186's and an AS5300. Can the ATA send/forward such a token (this might need another topic posted for it)?

I have a single gatekeeper and when i turned IZCT on in the gatekeeper, all the ATA's stopped being able to call each other. Of course the AS5300 stopped accepting calls from an unregistered gateway as well.. which is good.

Do i need to put any command changes in the gateways? Security commands?

Thanks

152
Views
0
Helpful
3
Replies
CreatePlease login to create content