10-20-2005 10:22 AM - edited 03-15-2019 03:46 AM
Hello all:
I am trying to protect few ipphones connected to a C3550 switch. The following acl was apply to the vlan interface of the ipphones:
permit udp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 69
permit udp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 69
permit tcp 172.16.25.10 0.0.0.9 172.17.1.0 0.0.0.255 eq 2000
permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 80
permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 80
deny ip any any log-input
The problem is that the directory option does not work. Does anyone konws what port tcp port number is needed for this. I am guessing is LDAP, but I am not sure is this is correct.
Regards,
Carlos Roque
10-20-2005 10:27 AM
LDAP uses TCP port 389
hth,
Rob
10-21-2005 01:08 PM
Thank you,
I added that port to the ACL.
Carlos Roque
10-20-2005 11:58 AM
Refer to this doc for all TCP and UDP ports used by CCM:
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml
Chris
10-21-2005 01:06 PM
Thank you,
I am assuming this apply to CM version 4.x.
Carlos Roque
10-22-2005 05:03 AM
Yes, the same ports are used.
Chris
10-22-2005 08:46 PM
Src or dst LDAP is not used by IP Phones, IP Phones sends HTTP requests, and LDAP requests are handled between the Web Server (CCM normally) and Directory.
I think the best option here, is follow Cisco recommendations for securing an IP telephony network.
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/index.htm
I attach a sniffer capture for my IPC accesing Directory services, which may be helpful (check src port for HTTP SYN,ACK).
Gonz
10-22-2005 08:49 PM
10-25-2005 11:26 AM
I'll check these documents and will follow their recomendations.
I am still having problems with directory access from the ipphones. After applying the acl the log shows denied udp packets form the ipphones in high ranges port numbers. That means that the phone is using dynamic udp high port numbers which the acl is not allowing.
I am investigating the posibility of using reflexive acl.
.
Regards,
Carlos Roque
10-25-2005 06:47 PM
the high numbered udp ports sounds like the rtp traffic. when you say the directory access does not work, how far does it get? does the option show up on the IP phone? If the option doesnt show up, it could be a problem with name resolution and not acl's.
10-25-2005 07:28 AM
DC directory uses port 8404 and if Callmanager is integrated to Active Directory, then port 389 is used.
Check which directory is used by your Callmanager and depending on that, enable the ports.
Lemme know if you have any questions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide