[cisco-voip] more ACL questions - RTP from CUE outside RTP range

Lelio Fulgenzi lelio at uoguelph.ca
Mon Jan 9 09:36:53 EST 2012


unfortunately, zone based firewalls are not an option right now, so I'm stuck with ACLs. 

at this point I'm just wondering if starting at 1024 is required or if 16384 is sufficient. 

--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Matthew Loraditch" <MLoraditch at heliontechnologies.com> 
To: "Lelio Fulgenzi" <lelio at uoguelph.ca>, "Wes Sisk" <wsisk at cisco.com> 
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net> 
Sent: Saturday, January 7, 2012 12:01:30 PM 
Subject: RE: [cisco-voip] more ACL questions - RTP from CUE outside RTP range 




Well the only thing I can think of is instead of plain ACL's using Zone Based Firewalls and then you can match on protocols instead of ports. Obviously that's a whole other ball of wax, and requires the right equipment and IOS levels. Beyond that I can't think of anything else. 








Matthew G. Loraditch - CCVP, CCNA, CCDA 

1965 Greenspring Drive 
Timonium, MD 21093 

voice. 410.252.8830 
fax. 410.252.9284 

Twitter | Facebook | Website | Email Support 


From: cisco-voip-bounces at puck.nether.net [cisco-voip-bounces at puck.nether.net] on behalf of Lelio Fulgenzi [lelio at uoguelph.ca] 
Sent: Friday, January 06, 2012 11:26 PM 
To: Wes Sisk 
Cc: Cisco VoIPoE List 
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range 




so it looks like the Cisco Jabber client uses an RTP port out of this range as well. 

considering that we could be using devices other than Cisco phones on our voice VLANs, and who knows, maybe even Cisco phones will change depending on the underlying OS, i'm guessing i'm going to have to change my ACLs to be either of: 

permit udp <network> <mask> range 16384 65535 udp <network> <mask> range 16384 65535 

OR 

permit udp <network> <mask> range 1024 65535 udp <network> <mask> range 1024 65535 

I'm a little leary of doing the latter, but if need be, I'll do it. 

What are people's thoughts? 

Lelio 
--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Lelio Fulgenzi" <lelio at uoguelph.ca> 
To: "Wes Sisk" <wsisk at cisco.com> 
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net> 
Sent: Friday, December 2, 2011 5:34:04 PM 
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range 


so how is someone supposed to set up ACLs to protect his voice network if these things don't follow the range outlined in the documents? 

I'm guessing for now I can change my phone ACLs to be: 

out: 
permit udp <net> <mask> 10.104.0.0 0.0.255.255 range 16384 32767 

in: 
permit udp 10.104.0.0 0.0.255.255 range 16384 32767 <net> <mask> 

seems like ACLs are a loosing proposition. which isn't easy. 


--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


----- Original Message -----
From: "Wes Sisk" <wsisk at cisco.com> 
To: "Lelio Fulgenzi" <lelio at uoguelph.ca> 
Cc: "Cisco VoIPoE List" <cisco-voip at puck.nether.net> 
Sent: Friday, December 2, 2011 5:24:05 PM 
Subject: Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range 

only some devices use that port range for RTP. CUCM does not. CIPC does not. IOS does because of the way it allocates port numbers. 


for anything based on a common os (windows/linux) the socket command does not allow specifying a subset of port numbers. this makes compliance nearly impossible. 


CUE is running on linux. 



On Dec 2, 2011, at 5:02 PM, Lelio Fulgenzi wrote: 


So I've got another ACL question. 

When trying to communicate with my CUE module, I get the following error: 

%SEC-6-IPACCESSLOGP: list voice_endpoints_out denied udp cue.ipaddr(32773) -> ipphone.ipaddr(19072), 1 packet 

I'm assuming this is RTP communications, but then why is the source address higher than the advertised range 16384 to 32767? 

I always thought RTP would only communicate to each other from and to a port within this range. 

Thoughts? 



--- 
Lelio Fulgenzi, B.A. 
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1 
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU) 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
Cooking with unix is easy. You just sed it and forget it. 
- LFJ (with apologies to Mr. Popeil) 


_______________________________________________ 
cisco-voip mailing list 
cisco-voip at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-voip 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20120109/f7163751/attachment.html>


More information about the cisco-voip mailing list