I am trying to protect few ipphones connected to a C3550 switch. The following acl was apply to the vlan interface of the ipphones:
permit udp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 69
permit udp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 69
permit tcp 172.16.25.10 0.0.0.9 172.17.1.0 0.0.0.255 eq 2000
permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.10 eq 80
permit tcp 172.16.25.10 0.0.0.9 host 172.17.1.11 eq 80
deny ip any any log-input
The problem is that the directory option does not work. Does anyone konws what port tcp port number is needed for this. I am guessing is LDAP, but I am not sure is this is correct.
Refer to this doc for all TCP and UDP ports used by CCM:
Src or dst LDAP is not used by IP Phones, IP Phones sends HTTP requests, and LDAP requests are handled between the Web Server (CCM normally) and Directory.
I think the best option here, is follow Cisco recommendations for securing an IP telephony network.
I attach a sniffer capture for my IPC accesing Directory services, which may be helpful (check src port for HTTP SYN,ACK).
I'll check these documents and will follow their recomendations.
I am still having problems with directory access from the ipphones. After applying the acl the log shows denied udp packets form the ipphones in high ranges port numbers. That means that the phone is using dynamic udp high port numbers which the acl is not allowing.
I am investigating the posibility of using reflexive acl.
the high numbered udp ports sounds like the rtp traffic. when you say the directory access does not work, how far does it get? does the option show up on the IP phone? If the option doesnt show up, it could be a problem with name resolution and not acl's.
DC directory uses port 8404 and if Callmanager is integrated to Active Directory, then port 389 is used.
Check which directory is used by your Callmanager and depending on that, enable the ports.
Lemme know if you have any questions.