[cisco-voip] ACLs for voice
Wes Sisk
wsisk at cisco.com
Wed Aug 10 11:34:10 EDT 2011
Yes. You tested an inbound call to this device after it registered?
Regards,
Wes
On 8/10/2011 9:20 AM, Lelio Fulgenzi wrote:
> Test SIP and it worked without adding the permit all for sessions
> initiated from CUCM ephemeral port range toward the end points. I'm
> guessing this is because of the fact that I have a "permit
> established" on the out ACL and the phone maintains the initial
> connection to the CUCM.
>
> I will have to test calling from a subscriber that is not in the SIP
> phone's device pool to see if that breaks things or not.
>
> Is it always the CUCM that the phone is registered to that initiates
> the connection you mention below?
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
> - LFJ (with apologies to Mr. Popeil)
>
>
> ------------------------------------------------------------------------
> *From: *"Wes Sisk" <wsisk at cisco.com>
> *To: *"Lelio Fulgenzi" <lelio at uoguelph.ca>
> *Cc: *"cisco-voip (cisco-voip at puck.nether.net)"
> <cisco-voip at puck.nether.net>
> *Sent: *Tuesday, August 2, 2011 4:37:11 PM
> *Subject: *Re: [cisco-voip] ACLs for voice
>
> Most documents are superseded by the port numbers built into the
> platform now. Under platform web pages show->ip preferences.
>
> This lists each service, port numbers, and peer device.
>
> For SIP trunks the port usage is somewhat configurable. For SIP line
> side it is:
>
> Phone initiates TCP session from TCP port 49499 to CUCM port 5060.
> Phone sends register and proceeds as expected.
> Another endpoint initiates a call to CUCM that is routed to this
> phone. CUCM attempts to initiate a TCP session from a CUCM ephemeral
> port to this phone on port 49499.
>
> You're not going to be able to do an ACL for SIP traffic other than
> permit all for sessions initiated from CUCM ephemeral port range
> toward the end points.
>
> Regards,
> Wes
>
> On 8/2/2011 4:04 PM, Lelio Fulgenzi wrote:
>
> As mentioned in a previous thread, I'm updating our voice VLAN
> ACLs. I'm using 'established' entries to help out, but I'm going
> to assume many of the protocols are two way, so I'd like to
> include those where possible.
>
> In reading the documentation, some of the requirements show what
> I'm pretty sure is a one way connection, i.e. Phone -> Unified CM
> = 2000/TCP. I take this to mean the phone picks a random TCP port
> and communicates to the Unified CM on port 2000 from this random port.
>
> Others show Phone -> Unified CM = 5060/TCP,UDP and the opposite,
> Unified CM -> Phone = 5060/TCP,UDP.
>
> Does this mean that the phone talks to Unified CM using port 5060
> to port 5060, -or- does it mean that the phone picks a random port
> to talk to the Unified CM port 5060 and sometimes the Unified CM
> picks a random port to talk to the Phone's 5060 port?
>
> There two different things in my opinion.
>
> Thoughts?
>
> Lelio
>
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
> - LFJ (with apologies to Mr. Popeil)
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110810/d8ad9d0f/attachment.html>
More information about the cisco-voip
mailing list