[Asterisk-Users] Securing Cisco SIP gateway

B. J. Bomar bbomar at raccoon.com
Tue Jan 13 12:26:58 MST 2004


I just got an answer back from Cisco on this issue.  They said that this way
of blocking calls will only work with subnets, and not with individual
hosts.  I have tested it out, and it seems to work well enough for me.

B. J.





-----Original Message-----
From: asterisk-users-admin at lists.digium.com
[mailto:asterisk-users-admin at lists.digium.com] On Behalf Of Sean Cheesman
Sent: Monday, January 12, 2004 17:59
To: asterisk-users at lists.digium.com
Subject: RE: [Asterisk-Users] Securing Cisco SIP gateway


have you tried:

access-list 61 permit 10.1.1.2 0.0.0.0

I'm not 100% sure that the mask is implied if you don't specify it.  And
with Cisco ACL's, the mask is the inverse of the standard IP mask.

-----Original Message-----
From: B. J. Bomar [mailto:bbomar at raccoon.com] 
Sent: Monday, January 12, 2004 1:56 PM
To: asterisk-users at lists.digium.com
Subject: RE: [Asterisk-Users] Securing Cisco SIP gateway


I too am attempting to lock down a Cisco gateway.  I have been trying to
use the voice source-group command.  This is what I currently have.

voice source-group test
 access-list 61
 disconnect-cause call-reject
!
access-list 61 permit 10.1.1.2
access-list 61 permit 10.1.1.3
access-list 61 deny   any

The problem I am seeing is that this config blocks all inbound calls,
including those from the permitted IP addresses.  I have a TAC case
opened up with Cisco, but they have not been very helpful yet.  If I
hear anything from Cisco, I will let the list know.  Maybe there is
someone out there that has gotten this to work.

B. J.





-----Original Message-----
From: asterisk-users-admin at lists.digium.com
[mailto:asterisk-users-admin at lists.digium.com] On Behalf Of Jan Baumann
Sent: Monday, January 12, 2004 10:32
To: asterisk-users at lists.digium.com
Subject: [Asterisk-Users] Securing Cisco SIP gateway



Hello asterisk community,

I have successfully set up asterisk as a SIP PBX and now would like to 
connect to the outside world using a Cisco 2600 with VIC-BRI as an ISDN 
gateway. This works already in the lab, but I have security concerns 
before conecting the gateway to the internet.

I currently don't know exactly what VoIP services the Cisco runs by 
default besides SIP (H.323, MGCP, ...) and which IP ports it accepts 
call setup requests on for the different protocols. What makes it worse 
is that the Cisco accepts these requests on all IPs of any of its 
interfaces.

What I want to do is lock the gateway Cisco down to only accept SIP 
sessions and only via the asterisk box as a signalling and rtp proxy - 
either by an access-list or some authentication mechanism. Per-client 
access-control to the PSTN will then handled by asterisks dialplan.

I am quite sure someone has done this successfully before and would very

much appreciate any hints how to do this best.

Many thanks and
kind regards,

Jan Baumann

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list