topic what type of of traffic need to be open between cucm 7.0 (publis in Network Security

what type of of traffic need to be open between cucm 7.0 (publisher and subscribers)

isamabbas — Tue, 12 Mar 2019 01:22:37 GMT

There is a firewall that do not allow any traffic between a cucm 7.0 publisher and subscribers.

Neet to know what need to be open so that all communication between them is working?

what type of of traffic need to be open between cucm 7.0 (publis

jocamare — Tue, 02 Apr 2013 20:35:51 GMT

This might help you:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf

what type of of traffic need to be open between cucm 7.0 (publis

isamabbas — Tue, 02 Apr 2013 20:49:51 GMT

Thank you very much for the pointer!!!

I already have that document which contain lots of ports.

What I am looking for is what ports that I need to add to open traffic on the Firewall (7200) when add/remove users in Subscribers (CUCM 7.0).

All traffic to the Publisher (CUCM 7.0) are blocked, so I need to know what specific ports to open along with the command?

what type of of traffic need to be open between cucm 7.0 (publis

jocamare — Tue, 02 Apr 2013 21:26:04 GMT

What type of users are we talking about?

End users or Ip phone extensions?

what type of of traffic need to be open between cucm 7.0 (publis

isamabbas — Tue, 02 Apr 2013 21:37:02 GMT

Both, end users and ip phones!!!

I am not exactly sure what ports they need?? That is why I need help here…..

What needed to be done is that, the ability to add users/phones on the Subscribers (CUCM 7.0) which sits on a different subnet than the publisher (CUCM 7.0) and between them is a Firewall (Cisco 7200).

I am not sure what ports I can open to do that types of traffic?

Any help will be highly appreciated.

Thanks,

Isam.

what type of of traffic need to be open between cucm 7.0 (publis

jocamare — Tue, 02 Apr 2013 21:59:39 GMT

It is important to know the protocol that you are going to use, that way we can define the ports that you need open.

There are many, SCCP 2000 SIP 5060, 5061 TCP & UDP, H323 1720 TCP , MGCP 2427 Y 2428 TCP.

That without the RTP ports.

what type of of traffic need to be open between cucm 7.0 (publis

isamabbas — Tue, 02 Apr 2013 22:08:58 GMT

Thanks for the feedback!!!

We use Cisco IP phone SCCP Protocol to talk to CUCM 7.0, but in this case I am not sure what types of traffic between Subscribers and Publisher when you need to add users/phones and there is Firewall between Subs and Pub?

what type of of traffic need to be open between cucm 7.0 (publis

jocamare — Tue, 02 Apr 2013 22:39:07 GMT

SCCP uses port 2000, so open that one. The firewall inspection should do the rest.

Normally you won't need to open anything else if you try to establish phone calls.

Don't block DHCP nor TFTP though.

what type of of traffic need to be open between cucm 7.0 (publis

isamabbas — Tue, 02 Apr 2013 23:56:01 GMT

Phones/Users work fine once they have registered!!!

Before that we need to have a way of adding them to the pub?

what type of of traffic need to be open between cucm 7.0 (publis

jocamare — Wed, 03 Apr 2013 00:02:37 GMT

Sorry, bro.

It's not you, it's me.

But, i didn't get your last post, can you please elaborate?

what type of of traffic need to be open between cucm 7.0 (publis

isamabbas — Wed, 03 Apr 2013 17:27:00 GMT

The Pub sits in one region that is separated from Subs region.

If a phone/user is already created they will work fine within the Subs region as they will have access to them.

What we would like to do is when we activate the Firewall and we need to add new users/phones, We nee to know what ports and traffic that need to be opened in the Firewall. That is why I need some help here.

what type of of traffic need to be open between cucm 7.0 (publis

jocamare — Wed, 03 Apr 2013 21:00:08 GMT

Ok, you already have a list of ports that need to be opened.

Now, assuming your phones are on the internal side of the ASA, they do not represent a threat and are somehow trusted phones. There should not be any port restriction, we trust the phones don't we?

Speaking of trusted stuff, i'm curious about the fact that the server [subscriber] and the phones are separated by the ASA.

Why is it like that?

Is this something that can be changed?

If i had a bunch of phones, a server and whole lot of time, i would sell them. Don't know much of voice stuff, you know?

But i know about this, so, i would recommend you to move the server with the phones and place them all in the same network, that way they will freely communicate with each other, saving a L3 hop and bandwidth.

As my grandpa used to say: "If you can save a L3 hop in a voice implementation, do it." Wise words.

Now, in case you are keeping your current setup, make sure that TFTP and SCCP traffic is allowed from the phones to the server, also UDP/16384 - 32767.

That's basically all you need to get it working. Ports UDP/69, TCP/2000 and UDP/16384 - 32767