Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

H323 Security on SRST Enabled Routers

We are concerned with the ability of any internal user to use an H323 tool to access our remote site routers that are SRST enabled, for the purpose of making calls on POTS lines that bypass the Call Mgr. I have found that any active IP interface on such a router will accept an H323 connection from a software utility that I found on the Internet, and place a call as long as it matches an outbound dial peer. Since only the call manager should be using H323 to the SRST router, we have thought about using an inbound access-list that permits tcp/1720 from the call managers, then denies that port number from anything else (to router IP's), however, this does not seem so pretty.

Any suggestions for securing H323 on these devices would be appreciated.


Re: H323 Security on SRST Enabled Routers

You need to verify which are all ports needed for ip communication and based on that you need to deny the ports.


Re: H323 Security on SRST Enabled Routers

Hi Dan,

I would say an ACL is a good option for securing your Voice GWs.

We have another option for securing GWs comunnication.

Cisco routers can encrypt RTP voice traffic between the GW and IP Phone, and between 2 GWs...

They can also authenticate and encrypt their communications with CCM. Encryption of voice media and control payload is done via SRTP.

Encrypting communication with CCM is accomplished by IPSEC for MGCP and H323 GWs, and by TLS for SIP GWs. Encryption of the signalling between CCM or an SRST router and IP Phone uses TLS.



CreatePlease login to create content