Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Gatekeepeer and gateway security

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #28758
    Manny
    Guest

    Hi,
    I have a cisco gatekeeper and gateway.
    I registered the gateway to my gatekeeper with an h323 security policy so that nobody but me could be registered to the gatekeeper.
    The problem is that anyway everybody can send calls directly to my gateway bypassing the gatekeeper. Is there any solution to this issue?

    Thanks in advance.

    #28759
    Teodor Georgiev
    Guest

    Several solutions:

    1. make an inbound extended access-list to allow inbound connections on port 1720 tcp only from your gateway.

    2. Run Radius authentication on your incoming dialpeer.

    3. Put an ANI on your incoming dialpeer and let the gatekeeper send all the calls with that ANI.

    4. Configure a tech prefix on the cisco gateway that is hard to guess.

    Are those enough ?

    #28760
    Manny
    Guest

    This is the configuration of the dialpeer of MyGW:

    dial-peer voice 11 voip
    incoming called-number 766T
    destination-pattern 765T
    progress_ind setup enable 3
    session target ras
    !
    dial-peer voice 10 pots
    incoming called-number 765T
    no digit-strip
    direct-inward-dial
    !
    dial-peer voice 1 pots
    destination-pattern 766T
    port 3/0:D

    All the calls that come in from the PSTN with the 765 prefix are routed to the gatekeeper.
    All the calls that MyGW receive from the IP with 766 prefix are routed to the PSTN.

    1. make an inbound extended access-list to allow inbound connections on port 1720 tcp only from your gateway.

    I think I cannot create an ACL on MyGW because I do not know the address of the ForeignGW because is negotiated each time between the gatekeepers and could change.

    2. Run Radius authentication on your incoming dialpeer.

    For this solution I will investigate because I do not know enough about it.

    3. Put an ANI on your incoming dialpeer and let the gatekeeper send all the calls with that ANI.

    Do you mean to add a “calling-number outbound range 1234 1234” to the “dial-peer voice 10 pots” in order to put 1234 to the ANI of the calling party and then allow only to this calls to pass through the gatekeeper and deny all the other ANI? (I do not know how 🙁 )
    But if I configure Netmeeting to use the MyGW the dialpeer will add automatically the ANI to this call as well.
    In any case I have to consider that the ANI is the real one from the customer coming from the PSTN and passing through the VOIP and I have to keep it as it is for the end user who receive the call.

    4. Configure a tech prefix on the cisco gateway that is hard to guess.

    I configured a default tech prefix because carriers only send me a prefix like 766 in front of the number.

    I am very sorry if what I explain in not too clear or wrong, I am trying to learn as much as possible, but I still have some road to do.

    Thank you very much

Viewing 3 posts - 1 through 3 (of 3 total)
  • The forum ‘Voice over IP’ is closed to new topics and replies.