Armando Yesua G... Thu, 12/03/2009 - 07:43

Hi.

for VOIP try:

access-list 101 deny udp any any range 16384 32767
access-list 102 deny udp any any eq 1718
access-list 102 deny udp any any eq 1719
access-list 102 deny tcp any any eq 1720


TCP port 1720 is the port used for the listening of the incoming call.
If you block access to this port, you will essentially deny voice call setup request from the IP side.

This will block H.323 call setups, for people using "standard" VoIP and the
standard port assignments. It won't block Net2Phone, Netspeak, or any one
of a number of proprietary VoIP implementations.

A more drastic approach is to block all UDP traffic on ports >5000, which
will kill H.323 and any other RTP-based scheme like MBONE conferencing. It
still won't block people who want to get through and are willing to use
proprietary schemes.

regards

Yesua

cisco.net Sun, 12/06/2009 - 01:58

Thanks Yesua & Rick,

@ Yesua , PLease clear about the proprietary schemes u mentioned in reply. Have u know about "MAJIC JACK" (also used for VoIP calling). is this also a proprietary scheme.

Rgds

Armando Yesua G... Sun, 12/06/2009 - 08:55

yes, propietary I mean not following at all an standard and creating their own thing, just like "majic jack", those are the ones more difficult to block.

Majic jack appears to uses the following udp ports and something strange is doing with tcp ports:

TCP Ports List: 80 (HTTP), 443 (HTTPS)

UDP Ports List: 5060, 5070, 10000-65535

You should be able to confirm this, the last time I found it was using only 5060 and 5070, so blocking this two probably will make it.

regards

Yesua    

Actions

This Discussion