Hello asterisk community, I have successfully set up asterisk as a SIP PBX and now would like to connect to the outside world using a Cisco 2600 with VIC-BRI as an ISDN gateway. This works already in the lab, but I have security concerns before conecting the gateway to the internet. I currently don't know exactly what VoIP services the Cisco runs by default besides SIP (H.323, MGCP, ...) and which IP ports it accepts call setup requests on for the different protocols. What makes it worse is that the Cisco accepts these requests on all IPs of any of its interfaces. What I want to do is lock the gateway Cisco down to only accept SIP sessions and only via the asterisk box as a signalling and rtp proxy - either by an access-list or some authentication mechanism. Per-client access-control to the PSTN will then handled by asterisks dialplan. I am quite sure someone has done this successfully before and would very much appreciate any hints how to do this best. Many thanks and kind regards, Jan Baumann
I too am attempting to lock down a Cisco gateway. I have been trying to use the voice source-group command. This is what I currently have. voice source-group test access-list 61 disconnect-cause call-reject ! access-list 61 permit 10.1.1.2 access-list 61 permit 10.1.1.3 access-list 61 deny any The problem I am seeing is that this config blocks all inbound calls, including those from the permitted IP addresses. I have a TAC case opened up with Cisco, but they have not been very helpful yet. If I hear anything from Cisco, I will let the list know. Maybe there is someone out there that has gotten this to work. B. J. -----Original Message----- From: asterisk-users-admin@lists.digium.com [mailto:asterisk-users-admin@lists.digium.com] On Behalf Of Jan Baumann Sent: Monday, January 12, 2004 10:32 To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Securing Cisco SIP gateway Hello asterisk community, I have successfully set up asterisk as a SIP PBX and now would like to connect to the outside world using a Cisco 2600 with VIC-BRI as an ISDN gateway. This works already in the lab, but I have security concerns before conecting the gateway to the internet. I currently don't know exactly what VoIP services the Cisco runs by default besides SIP (H.323, MGCP, ...) and which IP ports it accepts call setup requests on for the different protocols. What makes it worse is that the Cisco accepts these requests on all IPs of any of its interfaces. What I want to do is lock the gateway Cisco down to only accept SIP sessions and only via the asterisk box as a signalling and rtp proxy - either by an access-list or some authentication mechanism. Per-client access-control to the PSTN will then handled by asterisks dialplan. I am quite sure someone has done this successfully before and would very much appreciate any hints how to do this best. Many thanks and kind regards, Jan Baumann _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
have you tried: access-list 61 permit 10.1.1.2 0.0.0.0 I'm not 100% sure that the mask is implied if you don't specify it. And with Cisco ACL's, the mask is the inverse of the standard IP mask. -----Original Message----- From: B. J. Bomar [mailto:bbomar@raccoon.com] Sent: Monday, January 12, 2004 1:56 PM To: asterisk-users@lists.digium.com Subject: RE: [Asterisk-Users] Securing Cisco SIP gateway I too am attempting to lock down a Cisco gateway. I have been trying to use the voice source-group command. This is what I currently have. voice source-group test access-list 61 disconnect-cause call-reject ! access-list 61 permit 10.1.1.2 access-list 61 permit 10.1.1.3 access-list 61 deny any The problem I am seeing is that this config blocks all inbound calls, including those from the permitted IP addresses. I have a TAC case opened up with Cisco, but they have not been very helpful yet. If I hear anything from Cisco, I will let the list know. Maybe there is someone out there that has gotten this to work. B. J. -----Original Message----- From: asterisk-users-admin@lists.digium.com [mailto:asterisk-users-admin@lists.digium.com] On Behalf Of Jan Baumann Sent: Monday, January 12, 2004 10:32 To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Securing Cisco SIP gateway Hello asterisk community, I have successfully set up asterisk as a SIP PBX and now would like to connect to the outside world using a Cisco 2600 with VIC-BRI as an ISDN gateway. This works already in the lab, but I have security concerns before conecting the gateway to the internet. I currently don't know exactly what VoIP services the Cisco runs by default besides SIP (H.323, MGCP, ...) and which IP ports it accepts call setup requests on for the different protocols. What makes it worse is that the Cisco accepts these requests on all IPs of any of its interfaces. What I want to do is lock the gateway Cisco down to only accept SIP sessions and only via the asterisk box as a signalling and rtp proxy - either by an access-list or some authentication mechanism. Per-client access-control to the PSTN will then handled by asterisks dialplan. I am quite sure someone has done this successfully before and would very much appreciate any hints how to do this best. Many thanks and kind regards, Jan Baumann _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users