[cisco-voip] more ACL questions - RTP from CUE outside RTP range

Matthew Loraditch MLoraditch at heliontechnologies.com
Sat Jan 7 12:01:30 EST 2012


Well the only thing I can think of is instead of plain ACL's using Zone Based Firewalls and then you can match on protocols instead of ports. Obviously that's a whole other ball of wax, and requires the right equipment and IOS levels. Beyond that I can't think of anything else.




Matthew G. Loraditch - CCVP, CCNA, CCDA

1965 Greenspring Drive
Timonium, MD 21093

voice. 410.252.8830
fax.  410.252.9284

Twitter<http://twitter.com/heliontech>  |  Facebook<http://www.facebook.com/#!/pages/Helion/252157915296>  | Website<http://www.heliontechnologies.com/>  |  Email Support<mailto:support at heliontechnologies.com?subject=Technical%20Support%20Request>
________________________________
From: cisco-voip-bounces at puck.nether.net [cisco-voip-bounces at puck.nether.net] on behalf of Lelio Fulgenzi [lelio at uoguelph.ca]
Sent: Friday, January 06, 2012 11:26 PM
To: Wes Sisk
Cc: Cisco VoIPoE List
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range

so it looks like the Cisco Jabber client uses an RTP port out of this range as well.

considering that we could be using devices other than Cisco phones on our voice VLANs, and who knows, maybe even Cisco phones will change depending on the underlying OS, i'm guessing i'm going to have to change my ACLs to be either of:

permit udp <network> <mask> range 16384 65535 udp <network> <mask> range 16384 65535

OR

permit udp <network> <mask> range 1024 65535 udp <network> <mask> range 1024 65535

I'm a little leary of doing the latter, but if need be, I'll do it.

What are people's thoughts?

Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)


________________________________
From: "Lelio Fulgenzi" <lelio at uoguelph.ca>
To: "Wes Sisk" <wsisk at cisco.com>
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net>
Sent: Friday, December 2, 2011 5:34:04 PM
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range

so how is someone supposed to set up ACLs to protect his voice network if these things don't follow the range outlined in the documents?

I'm guessing for now I can change my phone ACLs to be:

out:
permit udp <net> <mask> 10.104.0.0 0.0.255.255 range 16384 32767

in:
permit udp 10.104.0.0 0.0.255.255 range 16384 32767 <net> <mask>

seems like ACLs are a loosing proposition. which isn't easy.


---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)


________________________________
From: "Wes Sisk" <wsisk at cisco.com>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca>
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net>
Sent: Friday, December 2, 2011 5:24:05 PM
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range

only some devices use that port range for RTP.  CUCM does not. CIPC does not.  IOS does because of the way it allocates port numbers.

for anything based on a common os (windows/linux) the socket command does not allow specifying a subset of port numbers. this makes compliance nearly impossible.

CUE is running on linux.

On Dec 2, 2011, at 5:02 PM, Lelio Fulgenzi wrote:

So I've got another ACL question.

When trying to communicate with my CUE module, I get the following error:

%SEC-6-IPACCESSLOGP: list voice_endpoints_out denied udp cue.ipaddr(32773) -> ipphone.ipaddr(19072), 1 packet

I'm assuming this is RTP communications, but then why is the source address higher than the advertised range 16384 to 32767?

I always thought RTP would only communicate to each other from and to a port within this range.

Thoughts?



---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Cooking with unix is easy. You just sed it and forget it.
                              - LFJ (with apologies to Mr. Popeil)


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120107/00637b62/attachment.html>


More information about the cisco-voip mailing list