[cisco-voip] more ACL questions - RTP from CUE outside RTP range

Lelio Fulgenzi lelio at uoguelph.ca
Fri Jan 6 23:26:52 EST 2012 

so it looks like the Cisco Jabber client uses an RTP port out of this range as well. 

considering that we could be using devices other than Cisco phones on our voice VLANs, and who knows, maybe even Cisco phones will change depending on the underlying OS, i'm guessing i'm going to have to change my ACLs to be either of: 

permit udp <network> <mask> range 16384 65535 udp <network> <mask> range 16384 65535 

OR 

permit udp <network> <mask> range 1024 65535 udp <network> <mask> range 1024 65535 

I'm a little leary of doing the latter, but if need be, I'll do it. 

What are people's thoughts? 

Lelio 
--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Lelio Fulgenzi" <lelio at uoguelph.ca> 
To: "Wes Sisk" <wsisk at cisco.com> 
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net> 
Sent: Friday, December 2, 2011 5:34:04 PM 
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range 


so how is someone supposed to set up ACLs to protect his voice network if these things don't follow the range outlined in the documents? 

I'm guessing for now I can change my phone ACLs to be: 

out: 
permit udp <net> <mask> 10.104.0.0 0.0.255.255 range 16384 32767 

in: 
permit udp 10.104.0.0 0.0.255.255 range 16384 32767 <net> <mask> 

seems like ACLs are a loosing proposition. which isn't easy. 


--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Wes Sisk" <wsisk at cisco.com> 
To: "Lelio Fulgenzi" <lelio at uoguelph.ca> 
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net> 
Sent: Friday, December 2, 2011 5:24:05 PM 
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range 

only some devices use that port range for RTP. CUCM does not. CIPC does not. IOS does because of the way it allocates port numbers. 


for anything based on a common os (windows/linux) the socket command does not allow specifying a subset of port numbers. this makes compliance nearly impossible. 


CUE is running on linux. 



On Dec 2, 2011, at 5:02 PM, Lelio Fulgenzi wrote: 


So I've got another ACL question. 

When trying to communicate with my CUE module, I get the following error: 

%SEC-6-IPACCESSLOGP: list voice_endpoints_out denied udp cue.ipaddr(32773) -> ipphone.ipaddr(19072), 1 packet 

I'm assuming this is RTP communications, but then why is the source address higher than the advertised range 16384 to 32767? 

I always thought RTP would only communicate to each other from and to a port within this range. 

Thoughts? 



--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120106/1ea0bf5a/attachment.html>

More information about the cisco-voip mailing list