×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Firewall Problem with IP Phone!!

Unanswered Question
dgoodwin Thu, 10/04/2001 - 08:53
User Badges:
  • Cisco Employee,

TCP port 2000 is used for Skinny signaling to the CallManager. However there are a number of other ports that would be important to have open. For example:


UDP/69 - TFTP

TCP/80 - corporate directory, XML services. not always 80

UDP/67 - DHCP server

UDP/68 - DHCP client

UDP/16384-32767 - RTP audio


There are probably more I haven't thought of from the top of my head.

access-list avvid_in permit udp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq tftp

! Allow TFTP from the Voice Network to the CallManager Cluster Subnet


access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2000

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2001

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2002

! Allow Skinny from the Voice Network to the CallManager Cluster Subnet


access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 1719

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 1720

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 range 11000

11999


! H.323 access from the Voice Network to the CallManager Cluster Subnet


access-list avvid_in permit udp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2427

access-list avvid_in permit tcp 10.0.0.0 255.0.0.0 10.21.100.0 255.255.255.0 eq 2428

! MGCP from the Voice Network to the CallManager Cluster Subnet


access-list avvid_in permit tcp 172.21.0.0 255.255.0.0 10.21.100.0 255.255.255.0 eq 2748

! CTI (TAPI and JTAPI) for SoftPhone to the CallManager Cluster Subnet


access-list avvid_in permit tcp 172.21.0.0 255.255.0.0 10.21.100.0 255.255.255.0 eq 8404

! SoftPhone Directory to the CallManager Cluster Subnet

eyabane Fri, 10/05/2001 - 14:53
User Badges:

There is no surer way of opening certian ports on your firewall without putting the rest of the network at risk. Most of the ports mentioned here are known to hackers, and a little manipulation of the TCP packets could cause some buffer overflows, which translates into a home-run for the intruder. The safest solution is to get a VoIP Firewall. My company provides one of the very few out there for both h323 and SIP. Check out the whitepapers @ www.nextone.com, or contact me for more information. This is a serious issue, and most ISPs are realizing it now.


Eyabane

Actions

This Discussion