Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Finding IP address of telepresence system from internet address

Hello! My situation is as follows.

 

  1. One standalone SX-20 system natted to a public IP address.
  2. The system can successfully place/receive video calls to and fro other telepresence systems on the internet by dialling IP addresses.

 

Problem:

For security reasons my client does not use default routes so they manually add the routes to any given IP address whenever they want to place calls to specific telepresence systems. Now they want to make calls to a system for which we only have internet address (e.g. boardroom@cisco.com) and not the IP address. Given that no IP route has been configured, the call won't go through. So now the challenge is to find IP address which we can use to dial to that system.

 

Question:

Where can I find the IP address from having just the internet address? I need to manually configure the route to that system.

 

I look forward to your response. Suggestions are also accepted

2 REPLIES

Systems using the format of

Systems using the format of Alias@domain such as your example will normally be registered to a gatekeeper and/or a SIP registrar; i.e. VCS, CUCM etc and will normally not be reachable by using an IP address.

(We use this dialling format and you will not be able to connect to us using the IP address of any of our systems).

If they are using a VCS-E, then they have the ability to provide a "fall-back alias function" which allows an external user to dial the ip address of the VCS-E, which will then send the call to a predetermined alias, but you'll need to contact them to get that information.

Systems registered with a GK etc might not even have a public IP address (ours don't), so you wouldn't be able to do anything with it anyway, even if you did know the IP address.

You should be able to find the IP address of the device they are registered to, if that is of any help, by looking up their h.323 and/or SIP SRV records.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

 

 

Please rate replies and mark question(s) as "answered" if applicable.

I assume that Jens did not

I assume that Jens did not fully understood the question (or maybe I did not ;-)

 

From how I see it he is not necessary asking for the IP address to dial it, but for the IP address

to call it.

 

Cisco is a quite complex example.

 

The endpoint supports SRV dialing, even without being registered. That means he could dial

broadroom@cisco.com.

 

As long as a DNS server is present it would look up the SRV records of Cisco

(which goes only to the DNS servers which are configured on the endpoint).

This (most likely a VCS) IP address returned by the SRV request would need to be present in the route / firewall configuration.

If you are lucky that one is enough, but that first VCS might even redirect him to a different one(s) which also need to be present in the routes. And if the call is finally established media (and in some scenario maybe even signaling) might then in addition come form an other ip.

In addition these IP addresses might be different on different calls, even to the same destination (load balancing, different routes, ...)

You can see parts of these IPs in the DNS answers the rest in the signaling, so you could figure out the ports by looking at traces or sniffing on the endpoint or on your router.

 

 

Regards IP dialing, did not check but Cisco might even have First of all they might have DN (Tandberg Naming e164) numbers for all endpoints, which then even might be directly dial able, but anyhow, besides the DNS lookup its the same issue with possible multiple IPs.

 

It also might behave different depending on the protocol used and some other parameters, ...

 

If they have a non firewalled route in from the internet to the endpoint, anyhow inbound packets will

arrive at that endpoint, if its ICMP, TCP-SYN or possibly worst UDP, which might already be enough

to try a DOS or to exploit some bug if present.

 

To be honest, I do not think that this is a real clever security approach, neither a clever way to do video conferencing.  Either I would put a firewall upfront and completely separate the device form the network or place it behind a firewall and register
it to a call control (like a VCS-E or CUCM+Expressway) which could also be provided by a third party as a service,  or if he has plenty of endpoints do a proper call control implementation on site.

These could control as well which addresses are allowed to call / be called.

 

 

Please remember to rate helpful responses and identify

73
Views
5
Helpful
2
Replies