Solved

Securing Cisco Router Port UDP 5060

Posted on 2014-02-12
13
2,254 Views
Last Modified: 2014-03-08
Lately our main line has been getting calls from internal extensions that we don't have in the phone system.  All of our extensions are in the 300's, but we get calls to the main line from extension 100. When we answer the phone, there is no one there. This can happen every two hours or every 20 minutes.

I called Fonality (VOIP provider) to explain the issue, and they told me that we are  getting spam calls. They say that spam calls ring the server using the public IP address of the server, using UDP port 5060 in the firewall.

I was advised to lock down UDP port 5060 and to create a whitelist for our remote phones (telephones outside the office) and for the ISP carrier. I think that closing port UDP 5060 is the easiest way to resolve this issue but we will encounter registration of the remote phones to the server and registration of the phone server to the VOIP carrier using port 5060.

In conclusion, I need to allow access to port 5060 UDP only to our internal VOIP server and remote phones. Right now we are allowing all traffic I believe on UDP 5060. Please see attachment file for configuration.

We are using a Cisco 2901 router, and we only use the router's built-in firewall.

Network Organization: ISP Gateway-> Cisco Router -> Switch -> VOIP Server

I am writing here to get step-by-step instructions as to how to make the modifications that I was given by Fonality. The router uses Cisco's IOS and I need every command that will be required to accomplish this.

Thanks a lot!
Configuration.txt
0
Comment
Question by:CompuHero
  • 7
  • 5
13 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39854672
Can you run the following command and provide the output?

show run interface GigabitEthernet0/1


Also, do you have the IP addresses of your remote phones?
0
 
LVL 20

Expert Comment

by:agonza07
ID: 39866500
Yeah, looks like you will need to lock down your firewall by only allowing port 5060 to be accessed by certain IPs.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39867537
@ asavener:

Here is the output that you requested:

Building configuration...

Current configuration : 210 bytes
!
interface GigabitEthernet0/1
 description $ES_LAN$$FW_OUTSIDE$
 ip address XX.XX.XXX.234 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 !
end

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 39867547
Yup.  You need to apply an access-list to your outside interface.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39867554
@ asavener:

Can you tell my how to do that step-by-step? I would appreciate your detailed help on this matter. I do have the IP address of the remote telephones. For demonstration purposes lets assume that they are as follow:

1. 70.58.944.100

2. 70.58.944.102

3. 70.58.944.103

4. 70.58.944.104


Thanks!
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39867773
The difficulty here is to not break something else that is already working, and not to introduce additional vulnerabilities.

So, this is designed ONLY to address the issue of the phone calls, an is not by any means a recommended practice:

ip access-list extended FW-G0_1_v01
remark allow SIP from certain addresses
permit udp host 70.58.944.100 any eq 5060
permit udp host 70.58.944.102 any eq 5060
permit udp host 70.58.944.103 any eq 5060
permit udp host 70.58.944.104 any eq 5060
remark
remark block SIP from all other addresses
deny udp any any eq 5060
remark
remark Allow all other IP traffic
permit ip any any

interface g0/1
ip access-group FW-G0_1_v01 in
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:CompuHero
ID: 39870380
@ asavener:

Did you take a look at the "Configuration.txt " file that I attached to the original question? I would like to know if you can spot something that could break once I enter the commands that you suggested.

Let me know.

Thanks!
0
 
LVL 28

Expert Comment

by:asavener
ID: 39870571
That's why I constructed the access list the way I did.  

With no access list applied, all traffic is currently allowed.  All I did was block one particular port/service and allowed all other traffic.  This should fix the issue of the spam SIP calls, without blocking any other services.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39870585
@ asavener:

Thanks a lot! I will try this today after regular business hours. I have been able to bypass the issue temporarily by resetting the Fonality Server. It seems that resetting the server reduces the amount of spam calls we get to approximately 10 per day.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39892056
@ asavener:

All your steps worked beautifully! You have given me by far the best answer/help that I have ever gotten from this website. With previous answers that I have received for other questions, I had to always correct other problems caused by the answer or figure out how to make it work correctly. Yours worked right from the get-go.
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39892066
@ asavener:

Just one more thing if I may. It is possible that I might have to modify one of the telephone IP addresses from above. Let's say for example that 70.58.944.100 now needs to be changed to 24.69.456.64. How could I do that one number modification?

Thank you!
0
 
LVL 28

Expert Comment

by:asavener
ID: 39892270
My preferred way of editing an access list is to create a new access list with the updated lines, and then apply the new access list to the interface.  That's why I put in version numbers.

There's a number of reasons for this.  One, I don't inadvertently modify an active access list that controls my access to a router.  Two, I have a history that I can refer to, and I can identify exactly what change was made.


ip access-list extended FW-G0_1_v02
<the rest of your access list>

interface g0/1
ip access-group FW-G0_1_v02 in
0
 
LVL 1

Author Comment

by:CompuHero
ID: 39914712
@ asavener:

Thank you! Your help is much appreciated.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now