From: R.J.Neill Craven (ncraven@xxxxxxxxxxxxxxx)
Date: Thu Mar 07 2002 - 15:20:32 GMT-3
In the "real" world, the UDP and TCP ports used for voice other than
the predictable ones are somewhat academic. You do need to know the
ports Cisco uses for the RTP sessions (UDP ports 16384 through 32767)
if you want to invoke priority queueing for voice (by way of the "ip
rtp priority" command), but IMHO you should NEVER use port ranges in
an access list. If I learned that a "firewall" were allowing the port
ranges as defined in the lists below, I would develop all of my
applications to use them. Worse yet, a cracker would attack the
network using these ports.
Instead of using an extended access list, a better solution would be
to use a mechanism that examines the H.225/H.245 negotiations and
automatically permits the dynamic sessions. You can do this with CBAC
or a standalone firewall box such as a PIX. I doubt I could come up
with an acceptable solution using reflexive access lists, but it's
worth investigation.
So, the ports I need to watch are the ones that get the ball rolling.
For H.323 they are UDP port 1718 (Gatekeeper discovery), UDP port
1719 (Gatekeeper registration and status), and TCP port 1720 (H.225).
Assuming Cisco does already or will shortly allow the PIX and CBAC to
watch the negotiation of the MGCP, SIP, and the "skinny protocol"...
For the MGCP, I believe the ports are 2427 and 2727 (both UDP). For
the SIP the default is UDP or TCP port 5060, but SIP can use almost
any UDP or TCP port. Cisco's "skinny protocol" uses ports 2000
(client), 2001 (digital gateway), 2002 (analog gateway), and 2003
(conference bridge), but I don't recall whether these are TCP or UDP.
I suspect TCP but I yield to anyone who has definitive information.
Cheers,
Neill
At 10:11 PM -0500 6/3/02, Bob Sinclair wrote:
>Michael,
>
>A previous thread came up with the access-lists below regarding rtp
>and call setup ports. Not able to find anything definitive on CCO.
>
>2000-2003 is Call Manager
>
>-Bob
>
>VOIP Definition:
>
>access-list 121 permit udp any any range 16384 32767
>access-list 121 permit udp any range 16384 32767 any
>access-list 122 permit tcp any any range 2000 2003
>access-list 122 permit tcp any range 2000 2003 any
>access-list 122 permit tcp any any eq 1720
>access-list 122 permit tcp any eq 1720 any
>access-list 122 permit tcp any any range 11000 11999
>access-list 122 permit tcp any range 11000 11999 any
>
>IE: Outbound voice:
>
>access-list 100 permit udp any range 16384 32767 any
>access-list 100 permit tcp any eq 1720 any
>access-list 100 permit tcp any range 11000 11999 any
>
>IE: Inbound Voice:
>
>access-list 100 permit udp any any range 16384 32767
>access-list 100 permit tcp any any eq 1720
>access-list 100 permit tcp any any range 11000 11999
>
>IE: Uni-Directional Voice:
>
>access-list 100 permit udp any range 16384 32767 any
>access-list 100 permit udp any any range 16384 32767
>access-list 100 permit tcp any eq 1720 any
>access-list 100 permit tcp any any eq 1720
>access-list 100 permit tcp any range 11000 11999 any
>access-list 100 permit tcp any any range 11000 11999
>
>----- Original Message -----
>From: "Michael C. Popovich" <mpopovich@layer3.biz>
>To: <ccielab@groupstudy.com>
>Sent: Wednesday, March 06, 2002 9:30 PM
>Subject: Voice Port numbers
>
>
>> Anyone have a link on the DOC CD that tells me what ports are needed for
>> call-setup, ring-tone, H.323, H.245, etc. relating to voice?
>>
>> I am having difficulty locating it.
>>
>> Thanks
>>
>> MP
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:56 GMT-3