Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting incoming calls from IP to PSTN

Hi guys,

I have a 5350 that runs like a charm. It receives IP calls (through dialpeers) and forwards it on the PSTN (E1 interface). Brilliant.

Now, I realise that if you (yes, you Mr Reader) send a call to the correct IP address and the correct prefix, I will terminate it for you :-( This is obviously a big security issue !

So, my question is the following: do I have a way to restrict or to limit the range of IP addresses from which we accept calls ? And, side question, how can I do this. The idea is obviously to accept calls only from a restricted set of known IP addresses...

I am afraid that access-lists are not an option, because I can't restrict all the traffic. Only the signaling (SIP and H323) traffic should be limited... Otherwise the voice traffic (RTP) wouldn't go either...

Thanks in advance for your time,

Yves.

3 REPLIES

Re: Restricting incoming calls from IP to PSTN

Hi Yves,

I will tell you about two ways to do it:

1. Yes, you can do it with an access-list. But you will restrict only the "access" to the call signalling ports - 1720 for H323 and 5060 for SIP.

Thus, let the RTP flow freely if call is established (let say - if the caller was allowed to place a call on the signalling channel).

I have done this many times and it works.

2. You can put a TCL application on your voip dial-peer which will send an authentication request to a Radius server (with Username = Calling IP address) and you will authenticate that request with the help of a Radius server (Cistron Radius, FreeRadius, Radiator... any Radius server indeed).

If you are going to proceed with (2) - I can provide you freely with the TCL application.

New Member

Re: Restricting incoming calls from IP to PSTN

Hello.

I am interested in implementing the solution with the TCL. You could send them to me?

Thanks in advance.

New Member

Re: Restricting incoming calls from IP to PSTN

Yves,

The way I have implemented this is using voice source groups. I would also suggest reading the Cisco Voice command reference for IOS version 12.3. Here is an example code snipit using cas custom groups, trunk group, and voice source-group.

controller T1 7/0:10

framing esf

ds0-group 1 timeslots 1-24 type fgd-eana mf ani-dnis

cas-custom 1

trunk-group Yves-123-IB 1

description Yves-123-IB, Dial-Peers 1,100

!

controller T1 7/0:11

framing esf

ds0-group 1 timeslots 1-24 type fgd-eana mf ani-dnis

cas-custom 1

trunk-group Yves-123-IB 2

description Yves-123-IB, Dial-Peers 1,100

!

voice source-group Yves-123

access-list 50

disconnect-cause call-reject

trunk-group-label target Yves-123-ACL-Permit

!

voice translation-rule 100

rule 1 /^\(123\)/ //

!

voice translation-profile Yves-123

translate called 100

trunk group Yves-123-IB

max-calls voice 48 direction out

max-retry 1

hunt-scheme longest-idle both

translation-profile outgoing Yves-123

dial-peer voice 1 pots

trunkgroup Yves-123-IB

destination-pattern 123T

trunk-group-label target Yves-123-ACL-Permit

direct-inward-dial

!

dial-peer voice 100 voip

description Yves-123-IB

incoming called-number 123T

voice-class codec 101

session protocol sipv2

session target sip-server

dtmf-relay rtp-nte

access-list 50 permit 192.168.10.10

496
Views
0
Helpful
3
Replies
CreatePlease to create content