Which ports need to be open from Cube - ISP

monasir · ‎01-31-2019

Hi all,

I'm not able to find specific information like , which ports needs to be open from the Cube to the ISP. ( outside)

At the moment the cube is configured and the customer is able to make incoming and outgoing calls.

However the cube connection is open in the internet and not secure.

And the ISP is receiving several server attacks from anonymous calls/strange calls which do not exsist in the DDI range.

So the service provider blocked everything and we are not able to make outgoing or incoming calls.

Their advise was to fine tune security so that not everything is open

The client is using a Fortigate 1000 Firewall.
Which things do i need to consider or the security engineer?

Chris Deren · ‎01-31-2019

You need to get that information from he ITSP as different ITSPs use different ports for media. SIP signaling port is usually 5060 or 5061 if using encryption either UDP or TCP, but some providers use different ports for SIP as well.

monasir · ‎02-06-2019

Hi all,

We are already in a middle of a workaround.
Hopefully this will work:

These ports needs to be open:

SIP, UDP & TCP on source and destination port 5060.
RTP, UDP on source port 16384-32767
ICMP Echo, Echo-Reply, TTL-Exceeded, Packet-Too-Big (unreachable)

On the cube create access-lists to permit udp hosts to allow specific traffic coming .
To keep eveything resticted.

And apply the acces-lists to for an example port-channels.

How ever thanks all for the help