Link to home
Start Free TrialLog in
Avatar of dilberty
dilberty

asked on

Remote teleworkers with CME

Hi,

We have a Cisco 2811 ISR running CME 7.0. We do not use it as a router, only for voice.
Is there any *safe* way to allow remote teleworkers over the WAN? e.g. SIP clients securely authenticating to CME.
I know a possible solution is using VPN, but that creates a lot of overhead and is especially problematic on mobile platforms, so I'm wondering if it's possible to open some ports to CME and have clients connect directly (similar to public SIP providers).

Thanks in advance!
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

Hi,

I advise to use VPN, becouse it is easy to crack the MD5 hashes of SIP!

ASKER CERTIFIED SOLUTION
Avatar of Alex Bahar
Alex Bahar
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of xReaper
xReaper

>> I advise to use VPN, becouse it is easy to crack the MD5 hashes of SIP!

Yes ? heh and how do you do that with complex password ?
HI,

Please try cain for hacking sip:

http://www.oxid.it/cain.html

it is working...
Looks like you have no idea what are you are talking about here, this is such time when you better say nothing if you are not sure.
Do you have any idea how hash is used ?
You can bruteforce for ages, good luck.
Avatar of dilberty

ASKER

Are you sure 5060 and 5061 are sufficient? don't I need UDP ports for voice?
>Are you sure 5060 and 5061 are sufficient? don't I need UDP ports for voice?

Sure, but he talks about ACL, i think what he wanted to say thay you can use ACL for 5060, and open udp ports for averyone, anywas if sip dialog do not pass there is not point to add ACL to the rtp(udp) ports for voice.
And you dont need to use 5060 5061, use only one where your cme is binded to.
Thanks guys. Is there any way to allow this only for specific users? Most of my users use simple passwords and besides I wouldn't want to allow them this functionality.
Thats why you need ACL based on ip of your users. (external)
Users at home don't have a static IP address. It is assigned dynamically from the ISP, so I probably won't be able to achieve that...
For simplicity, you can assign an "allowed range of IP addresses/subnet" to the VOIP teleworkers. Let's call it white-list. You can then create a simple ACL that allows only that white-list ip address range access to the CME 5060 5061 ports.
Static IP addresses for home broadband cost only 2-3 dollars a month. It is worth getting it.
Another option is to use 2 different VPN groups which assigns IP addresses from 2 different pools> white-list and black-list IP address pools...
Thus, you can differentiate users even if they use dynamic IP addresses on their internet broadband.
HI,

I advise VPN.... it give more secure, and if you use g.728 or g.729 codec you able to use it without any problems! We use it over VPN...
IPSEC VPN is not bed of roses though. It introduces delay and bandwidth overhead.

Processing delay can be considerable if the WAN devices do not have hardware compression modules.

A single G729 voice stream over IPSEC VPN over DSL consumes about 67 kbps! Only 8kbps is the G729 payload. IPSEC VPN adds about 21kbps to a single voice stream.