We recently upgraded one of our clients UC520 to 20T2 and now they were recently notifed by their ISP (Cbeyond) that there has been some International calling from their end. Here is the dial-peer for all incoming calls
dial-peer voice 1000 voip
description ** Incoming call from SIP trunk **
translation-profile incoming CUE_Incoming
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
session protocol sipv2
session target sip-server
incoming called-number .%
ip qos dscp cs5 media
ip qos dscp cs4 signaling
There is no "permission term" to prevent hairpinning, and I believe that "permission term" causes other issues. Has these issues been resolved? Or are their other solutions to prevent International calling fraud?
Solved! Go to Solution.
In CCA 1.9 we introduced a mechanism using a voice source group, to only allow calls from the IP of the ITSP. Additionally, we translate inbound calls into the site that start with the access code, to an undialable number. Almost never should you see inbound calls from the SIP side that start with your outbound access code.
Does this only work when you build a system from scratch via CCA 1.9? What needs to be done to the configuration if you upgraded an existing configuration using 1.9?
So, every customer that we recently upgraded to 20T2, also needs to have their dial-peers reconfigured using CCA 2.0?? Is there anything else that was added to 1.9 and 2.0 that we need to be aware up that did not get reconfigured in the upgrade.
What are the commands that need to be added via CLI? Or is this something that is better doing through CCA? If so, then are their instructions on how to modify the dial-peers so that no other configurations are altered via CCA?
The CLI looks something like this (126.96.36.199 is the SIP Proxy IP):
voice source-group CCA_SIP_SOURCE_GROUP
translation-profile incoming SIP_Incoming
voice translation-rule 411
rule 1 /^9\(.*\)/ /ABCD9\1/
voice translation-rule 412
rule 1 /^ABCD\(.*\)/ /\1/
access-list 2 permit 188.8.131.52
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 2 deny any
voice translation-profile SIP_Incoming
translate called 411
voice translation-profile SIP_Passthrough
translate called 412
dial-peer voice 1003 voip
description ** Passthrough Inbound Calls from CUE **
translation-profile incoming SIP_Passthrough
session protocol sipv2
session target ipv4:10.1.10.1
incoming called-number ABCDT
There are additional checks that CCA adds such as it locks down the firewall on WAN interface as well to only allow SIP traffic from specific IP addresses. Would recommend you use CCA to delete and re add the SIP Trunk provider (you would need to re add the inbound DID mapping and outbound dialplan settings) - this will give you the best results even if its a bit more work.
The ACL is typically ACL 104 applied in teh inbound direction on the FE0/0 interface. Make sure you have an entry to allow SIP traffic from the ITSP.