17 Replies Latest reply on Mar 28, 2014 10:03 AM by jonathanblack

    Allow RTP/UDP Ports For Any IP

    jonathanblack New Member

      We have several 908e units configured for SIP-to-PRI service from several SIP carriers interfacing to our legacy PRI-based equipment.  These units are not intended to serve as gate-keepers for data access to a LAN, therefore, the firewall is not turned on.  We did explore the firewall option, but it really seemed geared toward traffic passing through, rather than terminating on the unit (for purposes of SIP).

       

      We've configured the SIP trunks with the specific IP addresses of the carriers, and that seems to grant access to allow communication with the carriers' servers for signaling and RTP.  This has worked fine for two carriers, provided we add any RTP addresses as "sip-server secondary" entries. 

       

      We've now brought on a third SIP carrier who tells us that their RTP traffic will be coming from varying IP addresses depending on which underlying carrier is being used--they aren't proxying (is that a word?) the traffic through their servers.  They are recommending that we "specify the ports we can be contacted on for RTP and allow that in our firewall--any UDP traffic for those ports from any originating IP".

       

      The first question is:  How secure is this suggestion?

      Secondly: Can this be done on a 908e?  If so, how would we do that?

        • Re: Allow RTP/UDP Ports For Any IP
          unified Past_Featured_Member

          Is the 908 on a public IP or behind a firewall?

          • Re: Allow RTP/UDP Ports For Any IP
            jayh Hall_of_Fame

            You probably want the firewall turned on as it is used under-the-hood for quite a bit of the functionality of the box.

             

            Create an access-list as follows:

             

            ip access-list standard sip-allow-list

              permit host X.X.X.X

              permit host Y.Y.Y.Y

              permit host Z.Z.Z.Z

             

            Then apply that to your SIP connections:


            ip sip access-class sip-allow-list in


            You don't need to worry about RTP, it can come from any media gateway of the SIP providers.  It is generally a good thing that RTP go directly to the media gateway.  This tends to minimize latency of routing it through the SIP provider's network.


            When you enable the firewall for the first time, you'll want to do so from the console or be careful not to lock yourself out if enabling it remotely. 

             

            1 of 1 people found this helpful
              • Re: Allow RTP/UDP Ports For Any IP
                jonathanblack New Member

                Thanks for the input.  So the "permit host" addresses would be the signaling addresses provided by the SIP provider, and not including any RTP addresses?  Would we not need a rule to handle the RTP servers or is this handled on-the-fly by way of the SIP header as mentioned by @unified, above?

                  • Re: Allow RTP/UDP Ports For Any IP
                    jayh Hall_of_Fame

                    That's handled automatically.  You want to restrict SIP to known hosts and reject all others to avoid the possibility of someone exploiting your system to place expensive international calls.  RTP is set up within the SIP header as mentioned by @unified.

                      • Re: Allow RTP/UDP Ports For Any IP
                        jonathanblack New Member

                        Ok, thanks.  Our experience so far has been that even with the firewall off, the only signaling addresses from which it will accept traffic are those specified in the SIP trunk settings either under "sip-server primary" or "sip-server secondary".  However, this is good information for when we enable the firewall.

                          • Re: Allow RTP/UDP Ports For Any IP
                            jayh Hall_of_Fame

                            jonathanblack wrote:

                             

                            Ok, thanks.  Our experience so far has been that even with the firewall off, the only signaling addresses from which it will accept traffic are those specified in the SIP trunk settings either under "sip-server primary" or "sip-server secondary".  However, this is good information for when we enable the firewall.

                             

                            You may be very unpleasantly surprised when you get a phone bill if you don't lock down SIP to known and authorized servers.  I haven't tested simply adding the SIP ACL with firewall not enabled, it may work.  Please lock it down.  Despite their name, the scanners out there aren't very friendly.