<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>yup. that's what i did. <span><br><br><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span name="x"></span><br></span><br><hr id="zwchr"><b>From: </b>"Wes Sisk" <wsisk@cisco.com><br><b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br><b>Cc: </b>"cisco-voip (cisco-voip@puck.nether.net)" <cisco-voip@puck.nether.net><br><b>Sent: </b>Wednesday, August 10, 2011 11:34:10 AM<br><b>Subject: </b>Re: [cisco-voip] ACLs for voice<br><br>
Yes. You tested an inbound call to this device after it registered?<br>
<br>
Regards,<br>
Wes<br>
<br>
On 8/10/2011 9:20 AM, Lelio Fulgenzi wrote:
<blockquote cite="mid:2087643634.1622364.1312982424994.JavaMail.root@erie.cs.uoguelph.ca">
<style>p { margin: 0; }</style>
<div style="font-family: Verdana; font-size: 10pt; color: rgb(0, 0, 0);">Test SIP and it worked without adding the permit all for
sessions initiated from CUCM ephemeral port range toward the end
points. I'm guessing this is because of the fact that I have a
"permit established" on the out ACL and the phone maintains the
initial connection to the CUCM.<br>
<br>
I will have to test calling from a subscriber that is not in the
SIP phone's device pool to see if that breaks things or not.<br>
<br>
Is it always the CUCM that the phone is registered to that
initiates the connection you mention below?<br>
<span><br>
<span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario
N1G 2W1<br>
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Cooking with unix is easy. You just sed it and forget it. <br>
- LFJ (with apologies to Mr.
Popeil)<br>
<span></span><br>
</span><br>
<hr id="zwchr"><b>From: </b>"Wes Sisk" <a class="moz-txt-link-rfc2396E" href="mailto:wsisk@cisco.com" target="_blank"><wsisk@cisco.com></a><br>
<b>To: </b>"Lelio Fulgenzi" <a class="moz-txt-link-rfc2396E" href="mailto:lelio@uoguelph.ca" target="_blank"><lelio@uoguelph.ca></a><br>
<b>Cc: </b>"cisco-voip (<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>)"
<a class="moz-txt-link-rfc2396E" href="mailto:cisco-voip@puck.nether.net" target="_blank"><cisco-voip@puck.nether.net></a><br>
<b>Sent: </b>Tuesday, August 2, 2011 4:37:11 PM<br>
<b>Subject: </b>Re: [cisco-voip] ACLs for voice<br>
<br>
<title></title>
Most documents are superseded by the port numbers built into the
platform now. Under platform web pages show->ip preferences.<br>
<br>
This lists each service, port numbers, and peer device.<br>
<br>
For SIP trunks the port usage is somewhat configurable. For SIP
line side it is:<br>
<br>
Phone initiates TCP session from TCP port 49499 to CUCM port
5060.<br>
Phone sends register and proceeds as expected.<br>
Another endpoint initiates a call to CUCM that is routed to this
phone. CUCM attempts to initiate a TCP session from a CUCM
ephemeral port to this phone on port 49499.<br>
<br>
You're not going to be able to do an ACL for SIP traffic other
than permit all for sessions initiated from CUCM ephemeral port
range toward the end points.<br>
<br>
Regards,<br>
Wes<br>
<br>
On 8/2/2011 4:04 PM, Lelio Fulgenzi wrote:
<blockquote cite="mid:797033825.1305129.1312315445650.JavaMail.root@erie.cs.uoguelph.ca">
<style>p { margin: 0; }</style>
<div style="font-family: Verdana; font-size: 10pt; color: rgb(0, 0, 0);">As mentioned in a previous thread, I'm
updating our voice VLAN ACLs<span>. I'm using 'established'
entries to help out, but I'm going to assume many of the
protocols are two way, so I'd like to include those where
possible.<br>
<br>
In reading the documentation, some of the requirements
show what I'm pretty sure is a one way connection, i.e.
Phone -> Unified CM = 2000/TCP. I take this to mean the
phone picks a random TCP port and communicates to the </span><span id="7cfbb40c-a4b1-4204-bd00-d872375142d4">Unified CM </span><span id="7cfbb40c-a4b1-4204-bd00-d872375142d4"> on port 2000
from this random port.<br>
<br>
Others show Phone -> Unified CM = 5060/TCP,UDP and the
opposite, </span><span id="7cfbb40c-a4b1-4204-bd00-d872375142d4">Unified CM ->
</span><span id="7cfbb40c-a4b1-4204-bd00-d872375142d4">Phone
</span><span id="7cfbb40c-a4b1-4204-bd00-d872375142d4">=
5060/TCP,UDP.<br>
<br>
Does this mean that the phone talks to Unified CM using
port 5060 to port 5060, -or- does it mean that the phone
picks a random port to talk to the Unified CM port 5060
and sometimes the Unified CM picks a random port to talk
to the Phone's 5060 port?<br>
<br>
There two different things in my opinion.<br>
<br>
Thoughts?<br>
<br>
Lelio<br>
<br>
</span><span id="7cfbb40c-a4b1-4204-bd00-d872375142d4"><br>
<span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst (CCS) * University of Guelph * Guelph,
Ontario N1G 2W1<br>
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Cooking with unix is easy. You just sed it and forget it.
<br>
- LFJ (with apologies to Mr.
Popeil)<br>
<span></span><br>
</span><br>
</div>
<pre><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
cisco-voip mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
</div>
</blockquote>
</div></body></html>