<div dir="ltr">Are you employing application layer filtering, or are you simply blocking port 5060? We're not being hit on 5060, but random high ports. And we need to allow internet access so features on the phone display that are outside our network will continue to work.<div><br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 20, 2015 at 1:35 PM, Robert Johnson <span dir="ltr"><<a href="mailto:robert.j@bendtel.com" target="_blank">robert.j@bendtel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/20/2015 12:14 PM, Carlos Alvarez wrote:<br>
</span><div><div class="h5">> We're starting to see customers who get random arbitrary ringing caused by<br>
> a random connection attempt from the internet. Most of our customers have<br>
> Cisco routers with full-cone NAT, so it's easy to do that. We don't<br>
> reinvite handsets, we proxy the media, so we've considered using restricted<br>
> NAT instead. If we can figure out how, we can't find any documentation on<br>
> how to do it, and don't have a response to our Cisco TAC case on it yet.<br>
><br>
> But I figured I'd ask if others have come up with better solutions. I know<br>
> there are a few authentication options in the phones themselves, but they<br>
> seem to vary greatly by vendor and even by model. I like to do things as<br>
> simply and system-wide as possible. We primarily sell Grandstream, and we<br>
> support Cisco/Linksys SPA as well as Polycom IP series (not VVX).<br>
><br>
> We're an Asterisk-based hosted service provider.<br>
><br>
><br>
><br>
</div></div><span class="">> _______________________________________________<br>
> VoiceOps mailing list<br>
> <a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
> <a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
><br>
<br>
</span>This may be dependent upon the Cisco router in question, but when we<br>
deploy routers we always set the ACL to only allow SIP communications<br>
from our SBC. - When customers provide their own, we recommend the same<br>
settings.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Robert Johnson<br>
BendTel, Inc.<br>
<a href="tel:%28541%29389-4020" value="+15413894020">(541)389-4020</a><br>
Central Oregon's Own Telephone and Internet Service Provider<br>
<a href="http://bendtel.com/about/" rel="noreferrer" target="_blank">http://bendtel.com/about/</a><br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
</div></div></blockquote></div><br></div>