Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VCS CPL rule filtering IP address

Hi all,

 

I have a CPL script that change every incoming alias from Internet to the alias of MCU auto-attendant.

But I would like to allow knwon sites, identified with their IP address, to directly call to internal endpoints.

 

I found I can check with an <address switch> but I coulnd find how to test IP Address. Only aliases are checked.

 

Do you know it is possible to filter endpoints with CPL, based on IP address?


Regards,

Guillaume

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

As far as I am aware, there

As far as I am aware, there is no way to filter by IP address in the reduced CPL that is implemented on the VCS/Expressway.

Is there a reason why you can't filter by alias instead of IP address? When it comes to hacking, spoofing IP addresses is just as easy as aliases, so that really does not provide any additional layer of security.

I would probably just add additional rules for each alias you want to have the ability to call inside, or if they are coming from a specific domain, the (.*)@domain will be a catch all to those from another expressway or equivalent.

Otherwise, if you must use IP address filtering, you would have to do it in the firewall, by making a set of rules to block all IP addresses, then making another rule for the desired IP address, set it to allow, and make it higher priority than the first rule. Then delete your CPL.

I would probably not go that direction, as it would be very limiting, and the firewall rules in the expressway are a pain to configure. (also would still leave you vulnerable to IP address spoofing)

4 REPLIES
New Member

Correct, but for H323 calls

Correct, but for H323 calls across the internet, their alias would normally be their public IP address

Replace 0.0.0.0 with the IP address

 

    <!-- allow calls originating from IP address 0.0.0.0 -->
    <taa:rule origin="0.0.0.0" destination=".*">
      <proxy />
    </taa:rule> 

 

If their incoming alias is not their public IP address, post up a network log from the expressway from one of these calls, so i can see what's going on

New Member

Hi Derek,Thanks for your

Hi Derek,

Thanks for your reply.

It seems the remote endpoint don't use its IP address as alias. I check the network/CPL debug logs, and could notice each CPL rules is tested and none works (every line ends with "no matched".

On each on these log lines testing the rules, I can see the IP address in "remote-IP" parameter... so the VCS has got the information, but I can't find the right way to exploit it.

 

Regards,

 

Guillaume

New Member

As far as I am aware, there

As far as I am aware, there is no way to filter by IP address in the reduced CPL that is implemented on the VCS/Expressway.

Is there a reason why you can't filter by alias instead of IP address? When it comes to hacking, spoofing IP addresses is just as easy as aliases, so that really does not provide any additional layer of security.

I would probably just add additional rules for each alias you want to have the ability to call inside, or if they are coming from a specific domain, the (.*)@domain will be a catch all to those from another expressway or equivalent.

Otherwise, if you must use IP address filtering, you would have to do it in the firewall, by making a set of rules to block all IP addresses, then making another rule for the desired IP address, set it to allow, and make it higher priority than the first rule. Then delete your CPL.

I would probably not go that direction, as it would be very limiting, and the firewall rules in the expressway are a pain to configure. (also would still leave you vulnerable to IP address spoofing)

New Member

Hi Derek, You confirm what I

Hi Derek,

 

You confirm what I tought.

The IP-based filtering was specifically requested from the customer, even after we had seen the H323 alias would be an (at least) equivalent solution.

Regards,

Guillaume

401
Views
0
Helpful
4
Replies
CreatePlease to create content