Cisco UC500 series Посібник з конфігурації - Сторінка 40

Переглянути онлайн або завантажити pdf Посібник з конфігурації для Конференц-система Cisco UC500 series. Cisco UC500 series 50 сторінок. Sip trunking unified communications 500 series

Друкувати сторінку
Cisco UC500 series Посібник з конфігурації
configured in step 4.3.12. Once logged in you should be able to use the regular IOS CLI
commands.

4.4.2 Securing the UC500 for SIP trunk calls

The Generic SIP trunk configuration pushed via CCA is not sure of the exact SIP devices
it will talk to – hence by default the firewall (i.e. access-list) on the WAN interface is
kept open. If the IP address(es) of the SIP devices that the UC500 will talk to are known
or you want to restrict access to the SIP port (UDP 5060) – please do the below:
a. Find the correct access-list number applied to WAN interface (in this case it is
FastEthernet 0/0):
UC520#sh run int fa0/0
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 1.1.100.1 255.255.255.0
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
end
b. From above, the access-list 104 is the one in question – do the below
UC520#show ip access-list 104
Extended IP access list 104
10 deny ip 10.1.10.0 0.0.0.3 any
20 deny ip 10.1.1.0 0.0.0.255 any
30 deny ip 192.168.10.0 0.0.0.255 any
40 permit icmp any host 1.1.100.1 echo-reply
50 permit icmp any host 1.1.100.1 time-exceeded
60 permit icmp any host 1.1.100.1 unreachable
70 permit udp any any eq 5060
80 permit udp any eq 5060 any
90 permit udp any any range 16384 32767
100 permit udp host 63.203.35.55 eq domain any
110 deny ip 10.0.0.0 0.255.255.255 any
120 deny ip 172.16.0.0 0.15.255.255 any
130 deny ip 192.168.0.0 0.0.255.255 any
140 deny ip 127.0.0.0 0.255.255.255 any
150 deny ip host 255.255.255.255 any
160 deny ip host 0.0.0.0 any
170 deny ip any any log
c. The lines in red are what you need to change to make it secure and allow only SIP
signaling to / from IP addresses or domain names that the UC500 talks to. In most
cases you will either have a SIP proxy server or softswitch, SIP registrar server or
an SBC (outbound proxy). In this example, the SIP proxy & registrar IP address
are the same – 1.1.100.254. Knowing this information – you can add the below in
config mode:
ip access-list extended 104
no 70 permit udp any any eq 5060
© 2008 Cisco Systems, Inc. All rights reserved.