<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>unfortunately, zone based firewalls are not an option right now, so I'm stuck with ACLs.<br><br>at this point I'm just wondering if starting at 1024 is required or if 16384 is sufficient.<br><span><br><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span name="x"></span><br></span><br><hr id="zwchr"><b>From: </b>"Matthew Loraditch" <MLoraditch@heliontechnologies.com><br><b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca>, "Wes Sisk" <wsisk@cisco.com><br><b>Cc: </b>"Cisco VoIPoE List" <cisco-voip@puck.nether.net><br><b>Sent: </b>Saturday, January 7, 2012 12:01:30 PM<br><b>Subject: </b>RE: [cisco-voip] more ACL questions - RTP from CUE outside RTP range<br><br>
<style>P {
MARGIN: 0px
}
</style><style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<p>Well the only thing I can think of is instead of plain ACL's using Zone Based Firewalls and then you can match on protocols instead of ports. Obviously that's a whole other ball of wax, and requires the right equipment and IOS levels. Beyond that I can't
think of anything else.</p>
<p> </p>
<div>
<p> </p>
<div style="FONT-FAMILY: Tahoma; FONT-SIZE: 13px">
<div><font face="Tahoma" size="2"><span style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #244061; FONT-SIZE: 11pt">
<p style="MARGIN: 0in 0in 0pt" class="MsoNormal"><span><font color="#000000">Matthew G. Loraditch - CCVP, CCNA, CCDA<br>
</font></span><span style="FONT-FAMILY: 'Arial','sans-serif'; FONT-SIZE: 9pt"><br>
<font color="#000000">1965 Greenspring Drive</font></span><span><br>
</span><span style="FONT-FAMILY: 'Arial','sans-serif'; FONT-SIZE: 9pt"><font color="#000000">Timonium, MD 21093</font></span><span><br>
</span><span style="FONT-FAMILY: 'Arial','sans-serif'; FONT-SIZE: 9pt"><br>
<font color="#000000">voice. 410.252.8830<br>
fax. 410.252.9284 <br>
<br>
</font><a href="http://twitter.com/heliontech" target="_blank"><span style="COLOR: blue">Twitter</span></a><font color="#000000"> |
</font><a href="http://www.facebook.com/#%21/pages/Helion/252157915296" target="_blank"><span style="COLOR: blue">Facebook</span></a><font color="#000000"> |
</font><a href="http://www.heliontechnologies.com/" target="_blank"><span style="COLOR: blue">Website</span></a><font color="#000000"> |
</font><a href="mailto:support@heliontechnologies.com?subject=Technical%20Support%20Request" target="_blank"><span style="COLOR: blue">Email Support</span></a></span><span style="FONT-FAMILY: 'Arial','sans-serif'"></span></p>
</span></font></div>
</div>
</div>
<div style="FONT-FAMILY: Times New Roman; COLOR: #000000; FONT-SIZE: 16px">
<hr>
<div style="DIRECTION: ltr" id="divRpF146412"><font color="#000000" face="Tahoma" size="2"><b>From:</b> cisco-voip-bounces@puck.nether.net [cisco-voip-bounces@puck.nether.net] on behalf of Lelio Fulgenzi [lelio@uoguelph.ca]<br>
<b>Sent:</b> Friday, January 06, 2012 11:26 PM<br>
<b>To:</b> Wes Sisk<br>
<b>Cc:</b> Cisco VoIPoE List<br>
<b>Subject:</b> Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range<br>
</font><br>
</div>
<div></div>
<div>
<div style="FONT-FAMILY: Verdana; COLOR: #000000; FONT-SIZE: 10pt">so it looks like the Cisco Jabber client uses an RTP port out of this range as well.<br>
<br>
considering that we could be using devices other than Cisco phones on our voice VLANs, and who knows, maybe even Cisco phones will change depending on the underlying OS, i'm guessing i'm going to have to change my ACLs to be either of:<br>
<br>
permit udp <network> <mask> range 16384 65535 udp <network> <mask> range 16384 65535<br>
<br>
OR<br>
<br>
permit udp <network> <mask> range 1024 65535 udp <network> <mask> range 1024 65535<br>
<br>
<span>I'm a little leary of doing the latter, but if need be, I'll do it.<br>
<br>
What are people's thoughts?<br>
<br>
Lelio<br>
<span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Cooking with unix is easy. You just sed it and forget it. <br>
- LFJ (with apologies to Mr. Popeil)<br>
<span></span><br>
</span><br>
<hr id="zwchr">
<b>From: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br>
<b>To: </b>"Wes Sisk" <wsisk@cisco.com><br>
<b>Cc: </b>"Cisco VoIPoE List" <cisco-voip@puck.nether.net><br>
<b>Sent: </b>Friday, December 2, 2011 5:34:04 PM<br>
<b>Subject: </b>Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range<br>
<br>
<style>P {
MARGIN: 0px
}
</style>
<div style="FONT-FAMILY: Verdana; COLOR: rgb(0,0,0); FONT-SIZE: 10pt">so how is someone supposed to set up ACLs to protect his voice network if these things don't follow the range outlined in the documents?<br>
<br>
I'm guessing for now I can change my phone ACLs to be:<br>
<br>
out:<br>
permit udp <net> <mask> 10.104.0.0 0.0.255.255 range 16384 32767 <br>
<br>
in:<br>
permit udp 10.104.0.0 0.0.255.255 range 16384 32767 <net> <mask><br>
<br>
seems like ACLs are a loosing proposition. which isn't easy.<br>
<br>
<span><br>
<span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Cooking with unix is easy. You just sed it and forget it. <br>
- LFJ (with apologies to Mr. Popeil)<br>
<span></span><br>
</span><br>
<hr id="zwchr">
<b>From: </b>"Wes Sisk" <wsisk@cisco.com><br>
<b>To: </b>"Lelio Fulgenzi" <lelio@uoguelph.ca><br>
<b>Cc: </b>"Cisco VoIPoE List" <cisco-voip@puck.nether.net><br>
<b>Sent: </b>Friday, December 2, 2011 5:24:05 PM<br>
<b>Subject: </b>Re: [cisco-voip] more ACL questions - RTP from CUE outside RTP range<br>
<br>
only some devices use that port range for RTP. CUCM does not. CIPC does not. IOS does because of the way it allocates port numbers.
<div><br>
</div>
<div>for anything based on a common os (windows/linux) the socket command does not allow specifying a subset of port numbers. this makes compliance nearly impossible.</div>
<div><br>
</div>
<div>CUE is running on linux.</div>
<div><br>
<div>
<div>On Dec 2, 2011, at 5:02 PM, Lelio Fulgenzi wrote:</div>
<br class="Apple-interchange-newline">
<span style="WIDOWS: 2; TEXT-TRANSFORM: none; TEXT-INDENT: 0px; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; FONT: medium Helvetica; WHITE-SPACE: normal; ORPHANS: 2; WORD-SPACING: 0px" class="Apple-style-span">
<div>
<div style="FONT-FAMILY: Verdana; COLOR: rgb(0,0,0); FONT-SIZE: 10pt">So I've got another ACL question.<span class="Apple-converted-space"> </span><br>
<br>
When trying to communicate with my CUE module, I get the following error:<br>
<br>
%SEC-6-IPACCESSLOGP: list voice_endpoints_out denied udp cue.ipaddr(32773) -> ipphone.ipaddr(19072), 1 packet<br>
<br>
I'm assuming this is RTP communications, but then why is the source address higher than the advertised range 16384 to 32767?<br>
<br>
I always thought RTP would only communicate to each other from and to a port within this range.<br>
<br>
Thoughts?<br>
<br>
<br>
<span><br>
<span></span>---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>
(519) 824-4120 x56354 (519) 767-1060 FAX (ANNU)<br>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Cooking with unix is easy. You just sed it and forget it.<span class="Apple-converted-space"> </span><br>
- LFJ (with apologies to Mr. Popeil)<br>
<span></span><br>
</span><br>
</div>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
</div>
</span></div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div></body></html>