[cisco-voip] CallManagers & Gateways - controlling access
Corson, Teressa
Teressa.Corson at doit.nh.gov
Mon Nov 14 13:43:37 EST 2011
The anomalies are 911 hang-up calls during weird hours when no one is working. We have debugging turned on, waiting for the next call, but this was TAC’s suggestion to ensure that we’re not being hacked.
On the last phantom 911 call we had some debugging and syslog in place but the call does not show up in the syslog (perhaps the right debugs weren’t on) or in the CDRs. I can understand that we might not have been logging the right info to show up in syslog but how/why can a call be made and not show up in the Call Detail Records?
Most of our calls go out a PRI, but we have 4 FXO ports with POTS lines that are used for 911 calls. Inbound calls to those POTS numbers are rare (except for 911 calling back or a wrong number). If an inbound call is received, CUCM sends it to a route point that is registered with Contact Center Express. The call then goes to a Help Desk.
Thanks, again.
Teressa
Teressa Corson, CCNP, CCDA, CCNA-Voice
TSS VI, Operations
Network Operations
NH Department of Information Technology
603-223-5727
www.nh.gov/doit <http://www.nh.gov/doit>
Statement of Confidentiality: The contents of this message are confidential. Any unauthorized disclosure, reproduction, use or dissemination (either in whole or in part) is prohibited. If you are not the intended recipient of this message, please notify the sender immediately and delete the message from your system.
From: gwenzit at gmail.com [mailto:gwenzit at gmail.com]
Sent: Monday, November 14, 2011 1:10 PM
To: Corson, Teressa; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] CallManagers & Gateways - controlling access
Your not blocking anything. Why then would u assume it would not work. I think if we knew that anomoly and its pita symptoms would help.
Sent from my HTC on the Now Network from Sprint!
----- Reply message -----
From: "Corson, Teressa" <Teressa.Corson at doit.nh.gov>
Date: Mon, Nov 14, 2011 12:00 pm
Subject: [cisco-voip] CallManagers & Gateways - controlling access
To: <cisco-voip at puck.nether.net>
I’m puzzled…hoping someone here can explain. The basics are CUCM version 7.1.5.33900-10 with one pub and 2 subs. CUCM controls the GWs using MCGP in our config.
Due to some calling anomalies, Cisco TAC advised me to put the config below on my gateways. The TAC rep says this will allow only my CallManagers to send calls using these gateways.
access-list 99 remark ALLOWED CUCM SERVERS
access-list 99 permit 10.a.b.c
access-list 99 permit 10.a.b.d
access-list 99 permit 10.a.b.e
access-list 99 deny any log
!
voice source-group VOIP-Block
access-list 99
My understanding, based on the documentation I’ve read, is that the ACL 99 just matches traffic and tosses it to the voice source-group. The voice source-group does not block traffic, at least not as configured. Can a voice source-group be used to limit the CallManagers allowed to use the GW?
I tried a test. I made a test CM Group with just the CM server 10.a.b.c, and a test Device Pool using the test CM Group. I removed 10.a.b.c from the ACL so, in theory, calls from that CM shouldn’t be permitted to use the GW. I put my own phone in the test DP. I was still able to make and receive calls, even when I could see that my phone was registered to the non-allowed CM. I could see from the debug that my calls are going through the specific GW that contains the ACL & source-group above. Unless I’m missing something, that indicates to me that this ACL/source-group config is not blocking calls from CallManagers outside the permitted group.
Is TAC mistaken? Am I confused (YES) or just doing something wrong? Any words of wisdom will be greatly appreciated. Thanks.
Teressa
Teressa Corson, CCNP, CCDA, CCNA-Voice
TSS VI, Operations
Network Operations
NH Department of Information Technology
603-223-5727
www.nh.gov/doit <http://www.nh.gov/doit>
Statement of Confidentiality: The contents of this message are confidential. Any unauthorized disclosure, reproduction, use or dissemination (either in whole or in part) is prohibited. If you are not the intended recipient of this message, please notify the sender immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20111114/b8a29a36/attachment.html>
More information about the cisco-voip
mailing list