[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Securing Cisco Router Port UDP 5060

Posted on 2014-02-12
13
Medium Priority
?
2,535 Views
Last Modified: 2014-03-08
Lately our main line has been getting calls from internal extensions that we don't have in the phone system.  All of our extensions are in the 300's, but we get calls to the main line from extension 100. When we answer the phone, there is no one there. This can happen every two hours or every 20 minutes.

I called Fonality (VOIP provider) to explain the issue, and they told me that we are  getting spam calls. They say that spam calls ring the server using the public IP address of the server, using UDP port 5060 in the firewall.

I was advised to lock down UDP port 5060 and to create a whitelist for our remote phones (telephones outside the office) and for the ISP carrier. I think that closing port UDP 5060 is the easiest way to resolve this issue but we will encounter registration of the remote phones to the server and registration of the phone server to the VOIP carrier using port 5060.

In conclusion, I need to allow access to port 5060 UDP only to our internal VOIP server and remote phones. Right now we are allowing all traffic I believe on UDP 5060. Please see attachment file for configuration.

We are using a Cisco 2901 router, and we only use the router's built-in firewall.

Network Organization: ISP Gateway-> Cisco Router -> Switch -> VOIP Server

I am writing here to get step-by-step instructions as to how to make the modifications that I was given by Fonality. The router uses Cisco's IOS and I need every command that will be required to accomplish this.

Thanks a lot!
Configuration.txt
0
Comment
Question by:CompuHero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39854672
Can you run the following command and provide the output?

show run interface GigabitEthernet0/1


Also, do you have the IP addresses of your remote phones?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 39866500
Yeah, looks like you will need to lock down your firewall by only allowing port 5060 to be accessed by certain IPs.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39867537
@ asavener:

Here is the output that you requested:

Building configuration...

Current configuration : 210 bytes
!
interface GigabitEthernet0/1
 description $ES_LAN$$FW_OUTSIDE$
 ip address XX.XX.XXX.234 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 !
end

Open in new window

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 28

Expert Comment

by:asavener
ID: 39867547
Yup.  You need to apply an access-list to your outside interface.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39867554
@ asavener:

Can you tell my how to do that step-by-step? I would appreciate your detailed help on this matter. I do have the IP address of the remote telephones. For demonstration purposes lets assume that they are as follow:

1. 70.58.944.100

2. 70.58.944.102

3. 70.58.944.103

4. 70.58.944.104


Thanks!
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 39867773
The difficulty here is to not break something else that is already working, and not to introduce additional vulnerabilities.

So, this is designed ONLY to address the issue of the phone calls, an is not by any means a recommended practice:

ip access-list extended FW-G0_1_v01
remark allow SIP from certain addresses
permit udp host 70.58.944.100 any eq 5060
permit udp host 70.58.944.102 any eq 5060
permit udp host 70.58.944.103 any eq 5060
permit udp host 70.58.944.104 any eq 5060
remark
remark block SIP from all other addresses
deny udp any any eq 5060
remark
remark Allow all other IP traffic
permit ip any any

interface g0/1
ip access-group FW-G0_1_v01 in
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39870380
@ asavener:

Did you take a look at the "Configuration.txt " file that I attached to the original question? I would like to know if you can spot something that could break once I enter the commands that you suggested.

Let me know.

Thanks!
0
 
LVL 28

Expert Comment

by:asavener
ID: 39870571
That's why I constructed the access list the way I did.  

With no access list applied, all traffic is currently allowed.  All I did was block one particular port/service and allowed all other traffic.  This should fix the issue of the spam SIP calls, without blocking any other services.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39870585
@ asavener:

Thanks a lot! I will try this today after regular business hours. I have been able to bypass the issue temporarily by resetting the Fonality Server. It seems that resetting the server reduces the amount of spam calls we get to approximately 10 per day.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39892056
@ asavener:

All your steps worked beautifully! You have given me by far the best answer/help that I have ever gotten from this website. With previous answers that I have received for other questions, I had to always correct other problems caused by the answer or figure out how to make it work correctly. Yours worked right from the get-go.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39892066
@ asavener:

Just one more thing if I may. It is possible that I might have to modify one of the telephone IP addresses from above. Let's say for example that 70.58.944.100 now needs to be changed to 24.69.456.64. How could I do that one number modification?

Thank you!
0
 
LVL 28

Expert Comment

by:asavener
ID: 39892270
My preferred way of editing an access list is to create a new access list with the updated lines, and then apply the new access list to the interface.  That's why I put in version numbers.

There's a number of reasons for this.  One, I don't inadvertently modify an active access list that controls my access to a router.  Two, I have a history that I can refer to, and I can identify exactly what change was made.


ip access-list extended FW-G0_1_v02
<the rest of your access list>

interface g0/1
ip access-group FW-G0_1_v02 in
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39914712
@ asavener:

Thank you! Your help is much appreciated.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question