Buonasera a tutti,
stamani il nucleo antifrode di Telecom Italia mi ha contattato per comunicarmi che nella notte sono partite chiamate internazionali dal nostro numero..
Il centralino voip utilizzato è un Cisco 2811 con la seguente configurazione che vi chiedo di analizzare e dirmi dove possa essere stata fallace al punto da permettere di utilizzare le nostre linee per effettuare chiamate.
Grazie a tutti!
!
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname Cisco2811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
no logging buffered
logging console critical
enable secret 5 XXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
clock timezone ITALY 1
clock summer-time ITALY recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.240.0 192.168.240.50
ip dhcp excluded-address 192.168.240.255 192.168.247.255
!
ip dhcp pool voice
network 192.168.240.0 255.255.248.0
option 150 ip 192.168.243.253
default-router 192.168.243.253
dns-server 151.99.125.1 151.99.0.100 212.17.192.49
!
!
ip domain name XXXXXXX.biz
ip name-server 151.99.0.100
ip name-server 212.17.192.49
ip name-server 212.17.192.56
ip name-server 212.216.112.112
ip name-server 88.149.128.12
ip name-server 151.99.125.1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-XXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXX
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
!
!
username Administrator privilege 15 secret 5 XXXXXXX
archive
log config
hidekeys
!
!
interface FastEthernet0/0
description LAN
ip address 192.168.243.253 255.255.248.0
ip mtu 1492
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
!
interface ATM0/1/0
description ALICE BUSINESS 20 Mbps - TGU: XXXXXXXXXXXXX
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface Integrated-Service-Engine1/0
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
service-module ip address 192.168.244.253 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.243.253
no keepalive
!
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0/1/0.1
ip route 192.168.244.253 255.255.255.255 Integrated-Service-Engine1/0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool IP-GATEWAY YYY.YYY.YYY.YYY YYY.YYY.YYY.YYY netmask 255.255.255.248
ip nat pool POOL-IP-PUBBLICI YYY.YYY.YYY.YYY[-1] YYY.YYY.YYY.YYY[+8] netmask 255.255.255.248
ip nat inside source list 100 pool IP-GATEWAY overload
ip nat inside source static 192.168.243.253 YYY.YYY.YYY.YYY
ip nat inside source static tcp 192.168.244.253 80 192.168.243.253 8080 extendable
!
access-list 100 permit ip 192.168.240.0 0.0.7.255 any
!
!
!
!
!
!
tftp-server flash:ATA030100SCCP040211A.zup
tftp-server flash:apps70.8-2-2TR2.sbn
...[OMISSIS]....
tftp-server flash:Desktops/320x212x12/TN-Logo-Contract-cisco.png
tftp-server flash:Desktops/320x212x12/Logo-Contract-cisco.png
!
control-plane
!
!
!
voice-port 0/0/0
supervisory disconnect dualtone mid-call
input gain 6
output attenuation -6
cptone IT
timeouts call-disconnect 2
timeouts wait-release 1
connection plar opx 500
impedance complex2
description *** pstn verso XXXXX ***
caller-id enable
!
voice-port 0/0/1
supervisory disconnect dualtone mid-call
input gain 6
output attenuation -6
cptone IT
timeouts call-disconnect 2
timeouts wait-release 1
connection plar opx 500
impedance complex2
description *** pstn verso XXXXX ***
caller-id enable
!
voice-port 0/0/2
supervisory disconnect dualtone mid-call
input gain 6
output attenuation -6
cptone IT
timeouts call-disconnect 2
timeouts wait-release 1
connection plar opx 500
impedance complex2
description *** pstn verso gateway GSM ***
caller-id enable
!
voice-port 0/0/3
supervisory disconnect dualtone mid-call
input gain 6
output attenuation -6
cptone IT
timeouts call-disconnect 2
timeouts wait-release 1
connection plar opx 500
impedance complex2
description *** pstn verso XXXXX***
caller-id enable
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
dial-peer voice 40 voip
description *** unity voicemail pilot number ***
destination-pattern 400
session protocol sipv2
session target ipv4:192.168.244.253
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 50 voip
description *** unity auto attendant pilot number ***
destination-pattern 500
session protocol sipv2
session target ipv4:192.168.244.253
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 1 pots
description *** pstn XXXXX ***
destination-pattern 0T
port 0/0/0
!
dial-peer voice 2 pots
description *** pstn XXXXX ***
preference 1
destination-pattern 0T
port 0/0/1
!
dial-peer voice 3 pots
description *** pstn verso gasteway GSM ***
destination-pattern 9T
port 0/0/2
!
dial-peer voice 4 pots
description *** pstn XXXXXX ***
preference 1
destination-pattern 9T
port 0/0/3
!
!
!
!
telephony-service
no auto-reg-ephone
authentication credential XXXXXX XXXXXX
em logout 0:0 0:0 0:0
max-ephones 32
max-dn 128
ip source-address 192.168.243.253 port 2000
service phone videoCapability 1
service dnis overlay
service dnis dir-lookup
timeouts interdigit 3
timeouts busy 30
system message Cisco
url services http://192.168.244.253/voiceview/common/login.do
url authentication http://192.168.244.253/voiceview/authen ... nticate.do
user-locale IT
network-locale IT
load 7916-12 B016-1-0-3.sbn
load 7916-24 B016-1-0-3.sbn
load 7911 SCCP11.8-4-2S
load 7921 CP7921G-1.2.1.LOADS
load 7941 SCCP41.8-4-2S.loads
load 7961 SCCP41.8-4-2S.loads
load 7965 SCCP45.8-4-2S
load 7970 SCCP70.8-4-2S
load 7971 SCCP70.8-4-2S
load 7975 SCCP75.8-4-2S
load ata ATA030203SCCP051201A.zup
time-zone 23
time-format 24
date-format dd-mm-yy
keepalive 10
voicemail 400
max-conferences 8 gain -6
call-park system redirect
moh music-on-hold.au
web admin system name XXXXXXX password XXXXXXXX
web admin customer name XXXXX password XXXXXX
dn-webedit
time-webedit
transfer-system full-consult dss
secondary-dialtone 0
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-dn 1 dual-line
number 201
pickup-group 1
label David
description David
name David
call-forward busy 400
call-forward noan 400 timeout 16
hold-alert 15 idle
!
!
ephone-dn 2 dual-line
number 301
pickup-group 2
label Michele
description Michele
name Michele
call-forward all XXXXXX
call-forward busy 400
call-forward noan XXXXXXXX timeout 16
hold-alert 15 idle
!
!
ephone-dn 3 dual-line
number 302
pickup-group 2
label Corrado
description Corrado
name Corrado
call-forward busy 400
call-forward noan XXXXXX timeout 16
hold-alert 15 idle
!
!
ephone-dn 4 dual-line
number 202
pickup-group 1
label Fabio
description Fabio
name Fabio
call-forward busy 400
call-forward noan 400 timeout 16
hold-alert 15 idle
!
!
ephone-dn 5 dual-line
number 203
pickup-group 1
label Luca
description Luca
name Luca
call-forward busy 400
call-forward noan 400 timeout 16
hold-alert 15 idle
!
!
ephone-dn 6 dual-line
number 204
pickup-group 1
label Grafici
description Grafici
name Grafici
hold-alert 15 idle
!
!
ephone-dn 7 dual-line
number 312
pickup-group 1
label Corrado-Pc
description Corrado-Pc
name Corrado-Pc
hold-alert 15 idle
!
!
ephone-dn 8 dual-line
number 206
label Fax XXXXXX
description Fax XXXXX
name Fax XXXXXX
!
!
ephone-dn 9 dual-line
number 303
label Cordless
description Cordless
name Cordless
!
!
ephone-dn 10 dual-line
number 311
pickup-group 1
label Michele-Pc
description Michele-Pc
name Michele-Pc
hold-alert 15 idle
!
!
ephone-dn 20 dual-line
number 200
pickup-group 1
label XXXXXX
description XXXXXXXXXX
name XXXXXXXX
hold-alert 15 idle
!
!
ephone-dn 30 dual-line
number 300
pickup-group 2
label XXXXXXX
description XXXXXXXX
name XXXXXXXX
hold-alert 15 idle
!
!
ephone-dn 80
number 800...
mwi on
!
!
ephone-dn 81
number 801...
mwi off
!
!
ephone 1
device-security-mode none
video
mac-address XXXX.XXXX.XXXX
type 7965
keep-conference
button 1c1,20,30 2m4 3m5 4m6
button 5m3 6m2
!
!
!
ephone 2
device-security-mode none
video
mac-address XXXX.XXXX.XXXX
type 7965
keep-conference
button 1c2,30 2m3 3m1 4m4
button 5m5 6m6
!
!
!
ephone 3
device-security-mode none
video
mac-address XXXX.XXXX.XXXX
type 7965
keep-conference
button 1c3,20,30 2m2 3m1 4m5
button 5m4 6m6
!
!
!
ephone 4
device-security-mode none
mac-address XXXX.XXXX.XXXX
type 7911
button 1c4,20
!
!
!
ephone 5
device-security-mode none
mac-address XXXX.XXXX.XXXX
type 7911
button 1c5,20
!
!
!
ephone 6
device-security-mode none
mac-address XXXX.XXXX.XXXX
type 7911
button 1c6,20
!
!
!
ephone 7
device-security-mode none
mac-address XXXX.XXXX.XXXX
max-calls-per-button 2
type ata
button 1c9,20
!
!
!
ephone 8
device-security-mode none
mac-address XXXX.XXXX.XXXX
max-calls-per-button 2
type ata
button 1:8
!
!
!
ephone 9
device-security-mode none
mac-address XXXX.XXXX.XXXX
type CIPC
keep-conference
button 1c7,30 2m2 3m10 4m1
button 5m4 6m5 7m6 8:20
!
!
!
ephone 10
device-security-mode none
mac-address XXXX.XXXX.XXXX
type CIPC
keep-conference
button 1c10,30 2m3 3m7 4m1
button 5m4 6m5 7m6 8:20
!
!
banner login
--------------------------------------------------------------------
| G R U P P O XXXXXXXXXXXX N E T W O R K |
| |
|Sono permessi solo accessi autorizzati! |
|Disconnettersi IMMEDIATAMENTE se non siete un utente autorizzato! |
| |
|Authorized access only! |
|Disconnect IMMEDIATELY if you are not an authorized user! |
--------------------------------------------------------------------
!
line con 0
transport output telnet
line aux 0
transport output telnet
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
exec-timeout 30 0
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp server 192.5.41.209 prefer source ATM0/1/0.1
end
Sarei veramente curioso di sapere dov'è fallace questa configurazione..
Buona serata a tutti!
Sicurezza VoIP per Cisco 2811 con HWIC Adsl - Frode VoIP
Moderatore: Federico.Lagni
-
micky
- Cisco fan
- Messaggi: 38
- Iscritto il: mer 30 apr , 2008 5:37 pm
- Località: La Spezia
- Contatta:
-
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
aemmh tipo una qualche ACL sulla outside??
Prova a fare un trunk sip dall'esterno che punti al tuo IP pubblico....
Prova a fare un trunk sip dall'esterno che punti al tuo IP pubblico....
-
paolomos80
- n00b
- Messaggi: 1
- Iscritto il: gio 01 set , 2011 8:25 am
Anch'io,
su impianti di Telecom, ho avuto lo stesso problema. Siete riusciti a giungere a d una conclusione in merito alla configurazione più corretta?
Grazie sin d'ora,
Paolo
su impianti di Telecom, ho avuto lo stesso problema. Siete riusciti a giungere a d una conclusione in merito alla configurazione più corretta?
Grazie sin d'ora,
Paolo
-
micky
- Cisco fan
- Messaggi: 38
- Iscritto il: mer 30 apr , 2008 5:37 pm
- Località: La Spezia
- Contatta:
Purtroppo no e anche facendo un trunk sip dall'esterno che punta sul nostro IP pubblico non abbiamo registrato nessuna connessione..
Unica soluzione adottata al momento: nessun ip pubblico direttamente configurato sul router che è nattato dietro un firewall.
Ciao e grazie dell'interessamento, se scopri tu la falla scrivi!
Unica soluzione adottata al momento: nessun ip pubblico direttamente configurato sul router che è nattato dietro un firewall.
Ciao e grazie dell'interessamento, se scopri tu la falla scrivi!
paolomos80 ha scritto:Anch'io,
su impianti di Telecom, ho avuto lo stesso problema. Siete riusciti a giungere a d una conclusione in merito alla configurazione più corretta?
Grazie sin d'ora,
Paolo
-
paolomat75
- Messianic Network master
- Messaggi: 2965
- Iscritto il: ven 29 gen , 2010 10:25 am
- Località: Prov di GE
Con una ACL come suggerito da zot non bastava?
Ciao
Paolo
Ciao
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
