[cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

Lelio Fulgenzi lelio at uoguelph.ca
Thu Sep 13 12:28:19 EDT 2018 

Thanks Ryan…

I will be enabling call policies on the E, so allowing calls only from *.webex.com (regex simplified) from the Any source, and, I found that I needed a rule to allow outbound calls as well – this I made a named source, so calls from the traversal zone I established with the C. In this case, I’m letting that call anything. I’ve also got a deny at the bottom.

As I move to allowing B2B calls, I will add the appropriate rules here to say allow inbound calls from ford.com and bigcompanyx.com as required.

If we look at my search rules on C, say those accepting inbound calls from CUCM neighbor zone and sending them to the E for processing, I want to configure those rules so they only apply to a named zone, the neighbor zone. And for those rules that are taking calls from E and sending them off to the neighbor zone, I want those rules to apply only to the named zone, the traversal zone. Instead of those rules having ANY in the source.



---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Ryan Huff <ryanhuff at outlook.com>
Sent: Thursday, September 13, 2018 11:55 AM
To: Lelio Fulgenzi <lelio at uoguelph.ca>
Cc: voyp list, cisco-voip (cisco-voip at puck.nether.net) <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Expressway Search Rules - Source:Any -or- Source-Named Zone

Pardon ... “the E’s search rule” ... I said traversal zone. Email needs a delete like WebEx Teams ...
Sent from my iPhone

On Sep 13, 2018, at 11:53, Ryan Huff <ryanhuff at outlook.com<mailto:ryanhuff at outlook.com>> wrote:
The source for the E’s traversal zone only needs to be ‘ANY’, if it truly needs to be. I’ve deployed several scenarios where the business only wanted to receive B2B calls from other things on it’s own domain (or a few domains strung together in Regex).

Also, using the Call Policy engine (under the Configuration menu) or the more in depth CPL (Call Processing Language) is a great way to block obviously fraudulent dials by source, target or zone (Ex. source URI: deny clown at nose.com<mailto:clown at nose.com>).

I prefer to use the standard Call Policy rules in the GUI .... which is more akin to a prioritized Allow / Deny ACL.

CPL on the other hand (located in the same GUI menu section) is a more robust way of using call policies and is really only needed for advanced Call handling.

Call Processing Language is referenced on page 324: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0>

Call Policy is referenced on page 168: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0>

The Firewall rules are useful for only allowing  administrative services to a particular subnet (System / Protection / Firewall Rules) if you need to leave HTTPS and SSH exposed to a non secure network (this is less about toll fraud than it is general security).

The firewall rules are referenced on page 28: https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-11.pdf<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fvoice_ip_comm%2Fexpressway%2Fadmin_guide%2FCisco-Expressway-Administrator-Guide-X8-11.pdf&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=NeldWVTphyDQ9YlAwTUf1uxQgZZ0Ce80X6G0pssBf4Y%3D&reserved=0>

As with any system exposed to the Internet, turn off any services and protocols not in use (Ex. Turn off UDP support if you’re not using it ... etc).
Thanks,

Ryan

On Sep 13, 2018, at 11:12, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

Curious – what are people doing with their search rules? I’ve got a search rule for calls coming from the ‘net into E and then to C all good, but just wondering, I know the search rule on E has to be source:ANY because it’s coming from the net, but what about the search rule on C? Shouldn’t it be source:named zone (and pick C-to-E traversal zone) to be sure that nothing else hits it?

Same goes for say rules that I use to send calls all the way from CUCM to C to E to DNS Zone. Shouldn’t my rules be as specifically configured as possible? Including the source zone?

I understand that if I start registering devices on either the C or E I will need to create additional rules, but I’m fine with that, that way I know exactly what’s going to hit.

What are others doing? What’s the best practice?


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uoguelph.ca%2Fccs&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=PcG0pzWOqlGi%2FZSWYRBV75zlCq0aXpYiJdoLn62bqrI%3D&reserved=0> | @UofGCCS on Instagram, Twitter and Facebook

<image001.png>

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C308d306aa7304a99862d08d6198b5f80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724483721747900&sdata=xBfVzgyQ2V610hNW94%2BivvkD7BWXVdzEElfonKucDaU%3D&reserved=0
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-voip&data=02%7C01%7C%7C3f8b4ba419f64dbbdc0e08d619910237%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636724507923515580&sdata=jdOzGK47WmW%2F38w2rtvox42%2BQNDhcqnJ3UYEcUZX2kA%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180913/3f29b858/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180913/3f29b858/attachment.png>

More information about the cisco-voip mailing list