RE: Voice Port numbers

From: Frank Jimenez (franjime@xxxxxxxxx)
Date: Thu Mar 07 2002 - 20:44:52 GMT-3

• Next message: Lupi, Guy: "IPExpert Online Rack"
• Previous message: Jaeheon Yoo: "Re: OSPF Summary Address Null0 route"
• Maybe in reply to: Michael C. Popovich: "Voice Port numbers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I think this all comes back to the old line "What problem are you trying
to solve"?

I have a feeling the original poster was asking a fairly benign question
for a lab somewhere, but it turns out that the answer is more
complicated and far-reaching than he thought.

Is the question "How do I secure my IP Voice network?" If so, Cisco
just made publically available a pretty wide-ranging white paper at:

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safip_wp.htm

I'd love to hear feedback from the 'real world' on that reference
design....

The other real-world topic not mentioned is that VoIP needs to be
protected by some sort of encryption if it's going to pass over a public
network. Lots of tools out there for decoding packet voice....

Frank Jimenez, CCIE #5738
Systems Engineer
Cisco Systems, Inc.
franjime@cisco.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
R.J.Neill Craven
Sent: Thursday, March 07, 2002 12:21 PM
To: Bob Sinclair
Cc: Michael C. Popovich; ccielab@groupstudy.com
Subject: Re: Voice Port numbers

In the "real" world, the UDP and TCP ports used for voice other than
the predictable ones are somewhat academic. You do need to know the
ports Cisco uses for the RTP sessions (UDP ports 16384 through 32767)
if you want to invoke priority queueing for voice (by way of the "ip
rtp priority" command), but IMHO you should NEVER use port ranges in
an access list. If I learned that a "firewall" were allowing the port
ranges as defined in the lists below, I would develop all of my
applications to use them. Worse yet, a cracker would attack the
network using these ports.

Instead of using an extended access list, a better solution would be
to use a mechanism that examines the H.225/H.245 negotiations and
automatically permits the dynamic sessions. You can do this with CBAC
or a standalone firewall box such as a PIX. I doubt I could come up
with an acceptable solution using reflexive access lists, but it's
worth investigation.

So, the ports I need to watch are the ones that get the ball rolling.
For H.323 they are UDP port 1718 (Gatekeeper discovery), UDP port
1719 (Gatekeeper registration and status), and TCP port 1720 (H.225).

Assuming Cisco does already or will shortly allow the PIX and CBAC to
watch the negotiation of the MGCP, SIP, and the "skinny protocol"...

For the MGCP, I believe the ports are 2427 and 2727 (both UDP). For
the SIP the default is UDP or TCP port 5060, but SIP can use almost
any UDP or TCP port. Cisco's "skinny protocol" uses ports 2000
(client), 2001 (digital gateway), 2002 (analog gateway), and 2003
(conference bridge), but I don't recall whether these are TCP or UDP.
I suspect TCP but I yield to anyone who has definitive information.

Cheers,
Neill

At 10:11 PM -0500 6/3/02, Bob Sinclair wrote:
>Michael,
>
>A previous thread came up with the access-lists below regarding rtp
>and call setup ports. Not able to find anything definitive on CCO.
>
>2000-2003 is Call Manager
>
>-Bob
>
>VOIP Definition:
>
>access-list 121 permit udp any any range 16384 32767 access-list 121
>permit udp any range 16384 32767 any access-list 122 permit tcp any any

>range 2000 2003 access-list 122 permit tcp any range 2000 2003 any
>access-list 122 permit tcp any any eq 1720
>access-list 122 permit tcp any eq 1720 any
>access-list 122 permit tcp any any range 11000 11999
>access-list 122 permit tcp any range 11000 11999 any
>
>IE: Outbound voice:
>
>access-list 100 permit udp any range 16384 32767 any access-list 100
>permit tcp any eq 1720 any access-list 100 permit tcp any range 11000
>11999 any
>
>IE: Inbound Voice:
>
>access-list 100 permit udp any any range 16384 32767 access-list 100
>permit tcp any any eq 1720 access-list 100 permit tcp any any range
>11000 11999
>
>IE: Uni-Directional Voice:
>
>access-list 100 permit udp any range 16384 32767 any access-list 100
>permit udp any any range 16384 32767 access-list 100 permit tcp any eq
>1720 any access-list 100 permit tcp any any eq 1720
>access-list 100 permit tcp any range 11000 11999 any
>access-list 100 permit tcp any any range 11000 11999
>
>----- Original Message -----
>From: "Michael C. Popovich" <mpopovich@layer3.biz>
>To: <ccielab@groupstudy.com>
>Sent: Wednesday, March 06, 2002 9:30 PM
>Subject: Voice Port numbers
>
>
>> Anyone have a link on the DOC CD that tells me what ports are needed

>> for call-setup, ring-tone, H.323, H.245, etc. relating to voice?
>>
>> I am having difficulty locating it.
>>
>> Thanks
>>
>> MP

• Next message: Lupi, Guy: "IPExpert Online Rack"
• Previous message: Jaeheon Yoo: "Re: OSPF Summary Address Null0 route"
• Maybe in reply to: Michael C. Popovich: "Voice Port numbers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:56 GMT-3