Simple VOIP test calls and Toll Fraud
Posted by Josh on Tue 12 Jan 2010Categories: Cisco , Cisco Routers , Cisco VOIP - [7] Comments
If you work on Cisco IPT environments, you have probably ran into a situation where you wanted to make a call through a gateway to test the PSTN connectivity, test translation-profiles or as a process of elimination, you wanted to eliminate the CUCM cluster. The Xlite SIP softphone is a great tool for such tests. You can make calls through an IOS gateway without making any new configuration changes to the gateway itself or to the CUCM cluster.
Cisco gateways automatically allow calls from H.323 or SIP peers without authentication. So, basically, you configure your xlite softphone to use the ip address of the gateway as the domain and disable sip registration. Make the following changes to your xlite softphone and test an outbound call. It works great and very simple.
XLite Settings
- Open Xlite
- Right-Click on the softphone and select ‘SIP Account Settings’
- Highlight Acct #1 and click ‘Properties’
- Enter a display name and username
- Enter the IP address of the gateway in the ‘Domain’ Field
- Uncheck ‘Register with domain and receive incoming calls’
- Click ‘Ok’
- Click ‘Close’ to close the SIP account properties
- Dial a number
Enable CUBE functionality if you want to test a voip dial-peer
voice service voip
allow-connections sip to sip
allow-connections sip to h323
allow-connections h323 to h323
Gateway Security
This leads me to the second point of this post…. Toll Fraud. The idea of using a softphone to easily test your gateways without having to make any changes is cool but not very secure. Actually, its something many voice engineers never think about. If your gateways are behind a firewall, it does not present as much of a risk, but it still presents a risk. If your gateways are connected to the public internet without access-lists or firewalls, you are running a very big risk and you need to get this resolved asap.
The access-list below allows sip and h323 traffic from the Call Manager only (10.10.10.10)
ip access-list extended firewall
permit udp host 10.10.10.10 any range 5060 5061
permit tcp host 10.10.10.10 any range 1720 1721
deny udp any any range 5060 5061 log
deny tcp any any range 5060 5061 log
deny tcp any any range 1720 1721 log
permit ip any any
!
interface FastEthernet0/0
ip access-group firewall in
January 12th, 2010 at 9:12 am
Howdy Josh,
You are completely right man. It worked flawlessly. Since the VGW I managed has all its channels for voice I think I don´t need to put any restriction, only the restrictions for dialing.
Anyway, thanks a lot for the tip.
Thanks,
Sephiroth
January 12th, 2010 at 1:44 pm
Very interesting idea. Thanks.
I’ve always just used the ‘csim start’ command. This SIP method would allow an actual call.
I’d have to think about the ‘allow h323 to h323′. This would allow calls to forward off the VG. Not sure if I want that. But all I need is the ‘allow sip to h323′ for the XLite SIP Phone to work.
Also, if you restrict traffic between the CallManager and voice gateway with the firewall ACL, will the XLite SIP phone work? No SIP traffic from softphone to VG allowed.
January 13th, 2010 at 1:05 am
Sephiroth,
Not everyone will need to make changes to their gateway. It is just something to think about.
Josh
January 13th, 2010 at 1:07 am
Ken,
If you restrict traffic between the CallManager and voice gateway, you will not be able to use the XLite SIP Phone.
You would need to modify the access-list or remove it temporarily.
Josh
May 4th, 2010 at 2:53 pm
[...] Simple VOIP test calls and Toll Fraud (blindhog.net) [...]
August 7th, 2010 at 6:56 am
Good stuff! And take it from someone who has been burned… Pay close attention to this!
The “Security Best Practices” section of the CME SRND should be required reading for all Cisco Voice engineers. Not as much a concern when using MGCP, due to how the POTS trunks are controlled… Until you go into fallback. So it IS still relevant! Be careful out there!
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/srnd/design/guide/security.html
August 7th, 2010 at 12:41 pm
Thanks for the link Scott!