cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1283
Views
0
Helpful
10
Replies

iphones udp/tcp poer number

minoc
Level 1
Level 1

Hello all:

I am trying to protect few ipphones connected to a C3550 switch. The following acl was apply to the vlan interface of the ipphones:

permit udp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 69

permit udp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 69

permit tcp 172.16.25.10 0.0.0.9 172.17.1.0 0.0.0.255 eq 2000

permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 80

permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 80

deny ip any any log-input

The problem is that the directory option does not work. Does anyone konws what port tcp port number is needed for this. I am guessing is LDAP, but I am not sure is this is correct.

Regards,

Carlos Roque

10 Replies 10

ROBERT Clark
Level 1
Level 1

LDAP uses TCP port 389

hth,

Rob

Thank you,

I added that port to the ACL.

Carlos Roque

Chris Deren
Hall of Fame
Hall of Fame

Refer to this doc for all TCP and UDP ports used by CCM:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml

Chris

Thank you,

I am assuming this apply to CM version 4.x.

Carlos Roque

Yes, the same ports are used.

Chris

gogasca
Level 10
Level 10

Src or dst LDAP is not used by IP Phones, IP Phones sends HTTP requests, and LDAP requests are handled between the Web Server (CCM normally) and Directory.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a0080447505.html#wp1043132.

I think the best option here, is follow Cisco recommendations for securing an IP telephony network.

http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/index.htm

I attach a sniffer capture for my IPC accesing Directory services, which may be helpful (check src port for HTTP SYN,ACK).

Gonz

Attachment

IPC IP address is:

I'll check these documents and will follow their recomendations.

I am still having problems with directory access from the ipphones. After applying the acl the log shows denied udp packets form the ipphones in high ranges port numbers. That means that the phone is using dynamic udp high port numbers which the acl is not allowing.

I am investigating the posibility of using reflexive acl.

.

Regards,

Carlos Roque

the high numbered udp ports sounds like the rtp traffic. when you say the directory access does not work, how far does it get? does the option show up on the IP phone? If the option doesnt show up, it could be a problem with name resolution and not acl's.

bhattacharya.s
Level 1
Level 1

DC directory uses port 8404 and if Callmanager is integrated to Active Directory, then port 389 is used.

Check which directory is used by your Callmanager and depending on that, enable the ports.

Lemme know if you have any questions.