Cisco CCA Tool SIP Security methods



Similar documents
Cisco IOS SIP Configuration Guide

Let's take a look at another example, which is based on the following diagram:

Cisco ISDN PRI to SIP Gateway

and 2, implemented With Cisco Unified Border Control Element (CUBE)

EarthLink Business SIP Trunking. Cisco Call Manager and Cisco CUBE Customer Configuration Guide

Cisco Voice Gateways. PacNOG6 VoIP Workshop Nadi, Fiji. November Jonny Martin - jonny@jonnynet.net

nexvortex Setup Guide

AT&T IP Flex Reach/ IP Toll Free Configuration Guide IC 3.0 with Interaction SIP Proxy

Direct Inward Dial Digit Translation Service

ADTRAN SBC and Cisco Unified Call Manager SIP Trunk Interoperability

Implementing Cisco Voice Communications and QoS

SIP Trunking using Optimum Business SIP Trunk Adaptor and the Cisco Call Manager Express Version 8.5

CVOICE - Cisco Voice Over IP

Implementing Cisco IOS Telephony and Unified Communications Express (IITUCX)

Implementing Cisco IOS Telephony and Unified Communications Express (IITUCX)

Cisco CME SIP Trunk Configuration

How to Configure the Cisco UC500 for use with Integra Telecom SIP Solutions

IMPLEMENTING CISCO IOS TELEPHONY AND UNIFIED COMMUNICATIONS EXPRESS (IITUCX)

Cisco Unified Communications 500 Series

Dial Peer. Example: Dial-Peer Configuration

ADTRAN SBC and Avaya IP Office PBX SIP Trunk Interoperability

CVOICE Exam Topics Cisco Voice over IP Exam # /14/2005

Enabling NAT and Routing in DGW v2.0 June 6, 2012

NetVanta 7100 Exercise Service Provider SIP Trunk

Version dated 25/11/ Course Title. NATO Voice over IP Foundation Course. 2.Identification Number (ID) 3. Purpose of the Course

Q&A. DEMO Version

Integrating Skype for SIP with UC500

This topic describes dial peers and their applications.

Frequently Asked Questions about Integrated Access

Introducing Cisco Voice and Unified Communications Administration Volume 1

1 SIP Carriers Warnings Vendor Contact Vendor Web Site : Versions Verified SIP Carrier status as of 9/11/2011

Note: As of Feb 25, 2010 Priority Telecom has not completed FXS verification of fax capabilities. This will be updated as soon as verified.

2N NetStar. 2N NetStar as a PBX Booster. Quick guide. Version 1.00

Configuring SIP Registration Proxy on Cisco UBE

Specialist IP Office Implement Elective Exam 132-S Study Guide

Dial Peer Configuration Examples

Configuring the Sonus SBC 2000 with Cisco Unified Call Manager 10.5 for Verizon Deployment

IMPLEMENTING CISCO VOICE COMMUNICATIONS AND QOS Volume 1

Cisco Unified CME Basic Automatic Call Distribution and Auto-Attendant Service

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

AudioCodes Mediant 1000 Configuration Guide

How To Use Cisco Cucm For A Test Drive

: Introducing Cisco Voice and Unified Communications Administration (ICOMM) v8.0 Course Introduction

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

SIP Trunking Configuration Guide for Cisco Unified Communications Manager (CUCM) Version with Cisco Unified Border Element (CUBE)

2N OfficeRoute. 2N OfficeRoute & Siemens HiPath (series 3000) connected via SIP trunk. Quick guide. Version 1.00

IIUC Implementing Cisco IOS Unified Communications (IIUC) Version: Demo. Page <<1/9>>

Application Note - IP Trunking

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

With 360 Cloud VoIP, your company will benefit from more advanced features:

ADTRAN SBC and Cisco Call Manager Express SIP Trunk Interoperability

ESI SIP Trunking Installation Guide

8 Port Modular IP PBX Solution 8 Port IP PBX + SIP Gateway System IPG-80XG

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

Smart Business Communications System. Unified Communications 500. SBCS/UC500 First Look. Hands On Technical Training Lab Guide

Gateways and Their Roles

Call Setup and Digit Manipulation

Avaya one-x Quick Edition Interoperability with Cisco Integrated Services Router (ISR) SIP Gateway - Issue 1.0

Implementing Cisco IOS Unified Communications (IIUC)

Implementing Cisco IP Telephony & Video, Part 1 CIPTV1 v1.0; 5 Days; Instructor-led

Table of Contents. Cisco Mapping Outbound VoIP Calls to Specific Digital Voice Ports

- Basic Voice over IP -

ehealth and VoIP Overview

QoS (Quality of Service)

Voice Call Flow Overview

SmartPTT Tutorial Telephone Interconnect

Fonality. Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V p13 Configuration Guide

Application Notes Rev. 1.0 Last Updated: February 3, 2015

Configuring Voice over IP

New Features in CUCM 9.0

SIP Trunking Quick Reference Document

Network Connection Considerations for Microsoft Response Point 1.0 Service Pack 2

Cisco Integrating Cisco Unified Communications Applications v8.0 (CAPPS v8.0) Version: 6.0

Special-Purpose Connections

SIP Trunking Configuration Guide for Barracuda Phone System Release 3.x. Document Version 0.5

IP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online

Application Notes Rev. 1.0 Last Updated: January 9, 2015

Cisco Unified Communications 500 Series Model 560 for Small Business

IP Telephony Deployment Models

"Charting the Course... Implementing Cisco IP Telephony & Video, Part 1 v1.0 ( CIPTV1 ) Course Summary

Configuring an efficient QoS Map

Operation Manual Voice Overview (Voice Volume) Table of Contents

Outbound Option Installation: SIP Dialer

Integrating VoIP Phones and IP PBX s with VidyoGateway

Configuring VoIP Call Setup Monitoring

Validated Integrations: CUCM 10.x with xic version 4.0 SU-6 (support included for all 4.0 SU s) Version 4.08

Cisco Voice over IP

Design & Implementation of SIP Trunking using Cisco s Session Border Controllers

IP Implementation in Private Branch Exchanges From 9:30 a.m until 4:30 p.m (7 hrs./day) 5 days / week

Eliminating cost and complexity with hosted VoIP

Implementing Cisco IP Telephony & Video, Part 1

Implementing Cisco Unified Communications Manager Part 1 Course IPT1 v9.0; 5 Days, Instructor-led

3CX Guide sip.orbtalk.co.uk

CIPT1_8- Implementing Cisco Unified Communications Manager Part 1

Implementing Cisco Collaboration Devices CICD v1.0; 5 Days; Instructor-led

Siemens OpenScape Voice V7 SIP Connectivity with OpenScape SBC V7. to Integra SIP Service

Telco Depot IP-PBX Software Features

Configuring SIP Trunking and Networking for the NetVanta 7000 Series

Transcription:

Cisco CCA Tool SIP Security methods The Cisco CCA tool (Cisco Configuration Assistant) provides a graphical interface for configuring the UC500 series devices. Once settings have been established using the tool, the built-in scripting engine configures the IOS based routing components, CUCME (Cisco Unified Call Manager Express) and CUE (Cisco Unity Express Voicemail) and its use is a quick way to set up the phone system. The UC500 falls within Cisco s Small Business range of phone systems and components are drawn from Cisco s enterprise voice suite. When a SIP Trunk is configured on a Cisco IOS device, some very powerful VoIP routing features are enabled. The CCA team have ensured that the configuration script sent to the router results in the end configuration being highly secure. A secure configuration is necessary when connecting the unit (or any other brand PBX system) to an open network such as the Public Internet. Since the UC500 devices run Cisco IOS, they can be configured from the command line (CLI) as well as CCA. It is therefore important to understand the underlying security techniques used by CCA to avoid these inadvertently being disabled. This has been known to happen, typically when an engineer troubleshoots an inbound calling issue and the end result can be an increased risk of exposure to a toll fraud attack. A telephone number associated with a company s main office is known as the pilot number. A telephone number associated with an individual person is known as a DDI or Direct-Dial-Inwards. In the United States, a similar term DID or Direct Inward Dial is used. In either case the expressions deal with inbound numbers and their use can often also refer to the pilot number. VoIP protocol translator The UC500 runs a version of Call Manager Express. This software is contained within IOS and runs on the main CPU, controlling the telephones SIP and SCCP, call routing, call queuing, conferencing and so on. There is also another CPU on an internal hardware module and this module runs a package known as CUE (Cisco Unity Express). CUE is typically used for voicemail and the Auto attendant. In order for a telephone call to be routed to the CUE module from a SIP trunk, a very powerful function is enabled on the router. This turns the router into a voice-call router, and the router now routes phone calls as well as IP packets. Enabled as part of the CUCME/CUE package is SIP->SIP call routing, but also SIP ->H323 ; H323 -> SIP and H323 -> H323. H323 is used as part of the call queuing processes internally. The UC500 is a VoIP protocol translator and the control of how calls are routed is set by the unit s configuration.

Four Security techniques CCA configures four features which control whether or not calls are processed, and if they re processed how they re routed. Feature One Dial-Peer permission term When a call arrives on a UC500 it is processed by a piece of configuration called an inbound dial-peer. Each configured DDI is matched with an inbound dial-peer and after processing is routed to the appropriate destination, eg Hunt group, CUE module, extension, or queue as appropriate. There is a special inbound dial-peer, often numbered by CCA as dial-peer 1000 which matches ALL incoming calls unless there is a better match. A better match is made if a DDI number has been configured. UC_540#show run sec dial-peer voice 1000 dial-peer voice 1000 voip permission term description ** Incoming call from SIP trunk (Generic SIP Trunk Provider) session protocol sipv2 session target sip-server incoming called-number.% voice-class codec 1 voice-class sip dtmf-relay force rtp-nte dtmf-relay rtp-nte ip qos dscp cs5 media ip qos dscp cs4 signaling no vad This special dial-peer has the configuration line permission term. This causes all calls processed by the dial-peer to be dropped. For a SIP call, the response to the sender is a 500 Internal Server Error, which is likely to make a PSTN caller be disconnected, without a meaningful number busy tone. The special dial-peer protects the system by the logic If I don t know about this incoming DDI I m going to assume it s arriving maliciously and I m not going to route out via an outbound dial-peer perhaps to the SIP service provider or ISDN Circuit Hint. Make sure you configure all your DDI numbers in CCA. CCA will create a series of inbound dial-peers and make sure incoming calls are processed properly. Do not be tempted to remove the permission term from the special inbound dial-peer. Make sure all DDI s are correctly configured.

Feature Two Voice Source Groups: Calls prefixed with ABCD A voice source group takes a set of voice sources and treats them in a way defined by some configuration. A source would be identified by its signaling IP address. Multiple source groups can be configured on a UC500. If a voice source group is configured and if a call is received from a source which is not contained within ANY voice source group, then the call is rejected. With an incoming SIP call the router responds back to the source with a 500 Internal Server Error. The voice source group feature protects the system by the logic If I don t know about this IP speaker, I m going to assume it s arriving maliciously and I m not going to route out via an outbound dial-peer perhaps to the SIP service provider or ISDN Circuit CCA defines two source groups, one for internal sources i.e. CUE module & internal LAN and one for external sources i.e. the SIP Service Provider. The voice source group script is processed before the inbound dial-peer is inspected and a number translation tags calls arriving from the CUE module IP, by prefixing calls with the letters ABCD. Another special inbound dial-peer matching calls starting ABCD strips off these letters and lets the call route out as normal. This works around the permission term feature which would normally catch calls from CUE if they were destined to go to some random PSTN / extension number. A voice source is matched to a voice source group by matching the IP address with an IP Access List. CCA typically uses access-list 2 for internal IP address and access-list 3 for external. voice source-group CCA_SIP_SOURCE_GROUP_CUE_CME access-list 2 translation-profile incoming SIP_Incoming!(adds prefix ABCD)! voice source-group CCA_SIP_SOURCE_GROUP_EXTERNAL access-list 3 dial-peer voice 1003 voip description ** Passthrough Inbound Calls for PSTN from CUE ** translation-profile incoming SIP_Passthrough!(Strips off ABCD) b2bua session protocol sipv2 session target ipv4:10.1.10.1 incoming called-number ABCDT dtmf-relay rtp-nte codec g711ulaw no vad

Hint. Incoming call problems from SIP service providers can happen when CCA does not automatically detect the source IP addresses of the service provider. There is a section within the CCA tool for adding in the source IP addresses manually. Do not be tempted to remove the voice-source group security feature, but make sure you have a full list of source IP addresses. Feature Three WAN access list An IP Access List protects the router from incoming IP packets. CCA applies an access list to the WAN interface and configures the list to allow traffic from the SIP Service Provider. Access-list 104 is typically used by CCA. Hint. Incoming call problems from SIP service providers can happen when CCA does not automatically detect the source IP addresses of the service provider. There is a section within the CCA tool for adding in the source IP addresses manually. Do not be tempted to remove the WAN side access list. Feature Four IP Address Trusted List Recent versions of CUCME have a Toll-fraud feature that works in a similar way to the voice source group feature above. Within the configuration there is a parameter that sets the allowed IP sources for any VoIP communication transiting the system. Following a software upgrade, the default configuration of this feature leads to calls being rejected with 404 Not Found. Latest versions of CCA will configure this feature to allow calls to pass, but currently does not configure this feature in a strict way and allows all VoIP sources. UC_540#show run sec voice service voip voice service voip ip address trusted list ipv4 0.0.0.0 0.0.0.0! allows all voip sources allow-connections h323 to h323 allow-connections h323 to sip allow-connections sip to h323 allow-connections sip to sip supplementary-service h450.12 no supplementary-service sip moved-temporarily no supplementary-service sip refer

Hint: A better way of configuring this voice security feature would be to document the allowed voice sources in the configuration as follows in this example voice service voip ip address trusted list ipv4 10.1.10.0 255.255.255.252! Subnet used by CUE ipv4 10.1.1.0 255.255.255.0! Subnet used internally for voice sources ipv4 193.203.210.0 255.255.254.0! Subnet for the Service Provider allow-connections h323 to h323 allow-connections h323 to sip allow-connections sip to h323 allow-connections sip to sip supplementary-service h450.12 no supplementary-service sip moved-temporarily no supplementary-service sip refer

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information