[cisco-voip] ACLs for voice

Wes Sisk wsisk at cisco.com
Wed Aug 10 11:34:10 EDT 2011


Yes. You tested an inbound call to this device after it registered?

Regards,
Wes

On 8/10/2011 9:20 AM, Lelio Fulgenzi wrote:
> Test SIP and it worked without adding the permit all for sessions 
> initiated from CUCM ephemeral port range toward the end points. I'm 
> guessing this is because of the fact that I have a "permit 
> established" on the out ACL and the phone maintains the initial 
> connection to the CUCM.
>
> I will have to test calling from a subscriber that is not in the SIP 
> phone's device pool to see if that breaks things or not.
>
> Is it always the CUCM that the phone is registered to that initiates 
> the connection you mention below?
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
>                               - LFJ (with apologies to Mr. Popeil)
>
>
> ------------------------------------------------------------------------
> *From: *"Wes Sisk" <wsisk at cisco.com>
> *To: *"Lelio Fulgenzi" <lelio at uoguelph.ca>
> *Cc: *"cisco-voip (cisco-voip at puck.nether.net)" 
> <cisco-voip at puck.nether.net>
> *Sent: *Tuesday, August 2, 2011 4:37:11 PM
> *Subject: *Re: [cisco-voip] ACLs for voice
>
> Most documents are superseded by the port numbers built into the 
> platform now. Under platform web pages show->ip preferences.
>
> This lists each service, port numbers, and peer device.
>
> For SIP trunks the port usage is somewhat configurable. For SIP line 
> side it is:
>
> Phone initiates TCP session from TCP port 49499 to CUCM port 5060.
> Phone sends register and proceeds as expected.
> Another endpoint initiates a call to CUCM that is routed to this 
> phone.  CUCM attempts to initiate a TCP session from a CUCM ephemeral 
> port to this phone on port 49499.
>
> You're not going to be able to do an ACL for SIP traffic other than 
> permit all for sessions initiated from CUCM ephemeral port range 
> toward the end points.
>
> Regards,
> Wes
>
> On 8/2/2011 4:04 PM, Lelio Fulgenzi wrote:
>
>     As mentioned in a previous thread, I'm updating our voice VLAN
>     ACLs. I'm using 'established' entries to help out, but I'm going
>     to assume many of the protocols are two way, so I'd like to
>     include those where possible.
>
>     In reading the documentation, some of the requirements show what
>     I'm pretty sure is a one way connection, i.e. Phone -> Unified CM
>     = 2000/TCP. I take this to mean the phone picks a random TCP port
>     and communicates to the Unified CM on port 2000 from this random port.
>
>     Others show Phone -> Unified CM = 5060/TCP,UDP and the opposite,
>     Unified CM -> Phone = 5060/TCP,UDP.
>
>     Does this mean that the phone talks to Unified CM using port 5060
>     to port 5060, -or- does it mean that the phone picks a random port
>     to talk to the Unified CM port 5060 and sometimes the Unified CM
>     picks a random port to talk to the Phone's 5060 port?
>
>     There two different things in my opinion.
>
>     Thoughts?
>
>     Lelio
>
>
>     ---
>     Lelio Fulgenzi, B.A.
>     Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
>     (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     Cooking with unix is easy. You just sed it and forget it.
>                                   - LFJ (with apologies to Mr. Popeil)
>
>
>
>     _______________________________________________
>     cisco-voip mailing list
>     cisco-voip at puck.nether.net
>     https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110810/d8ad9d0f/attachment.html>


More information about the cisco-voip mailing list