| Author |
Message |
skb007
Brekeke Guru
Joined: 05 Oct 2015
Posts: 152
Location: USA
|
 Posted: Thu Aug 29, 2019 9:56 am Post subject: BSS Source Port Range for Transport as TCP |
 |
|
1. Brekeke Product Name and Version:BSS3.8.6.4 Adv Ver
2. Java version:1.8
3. OS type and the version: RHEL7
4. UA (phone), gateway or other hardware/software involved: NA
5. Your problem: What is the port range used by BSS as source port when leg-B transport is TCP?
We only need to punch a hole in the firewall for port 5060 for incoming packets from customer's IP address when the transport is UDP.
But when the transport is TCP i guess we need to punch the hole in firewall for the range of ports used by BSS as source ports. Is this correct understanding?
If yes, What is the port range used by BSS as source port when leg-B transport is TCP? |
|
| Back to top |
|
Harold
Brekeke Master Guru
Joined: 21 Sep 2008
Posts: 286
Location: Japan
|
| Posted: Thu Aug 29, 2019 4:42 pm Post subject: |
|
|
> What is the port range used by BSS as source port when leg-B transport is TCP?
It will be available port.
> But when the transport is TCP i guess we need to punch the hole in firewall for the range of ports used by BSS as source ports. Is this correct understanding?
No. You just need to open the TCP listening port, 5060, in the firewall.
As same as other protocols over TCP like a HTTP, you don't have to list local source ports for outgoing connection in the firewall. |
|
| Back to top |
|
skb007
Brekeke Guru
Joined: 05 Oct 2015
Posts: 152
Location: USA
|
| Posted: Fri Aug 30, 2019 9:28 am Post subject: |
|
|
#### SET UP DETAILS ####
BSS IP : bbb.bbb.bbb.bbb
BSS listen-port is :5060
Customer: IP: ccc.ccc.ccc.ccc
Customer Listen Port: 5060
Transport : TCP
######Cisco Router Firewall Access List#####
access-list 100 permit tcp host ccc.ccc.ccc.ccc host bbb.bbb.bbb eq 5060
#####Call Setup ########
A-leg comes to BSS and BSS initiates B-leg and it establishes TCP connection on customers ip.
1. BSS sends the invite using tcp with source port 12345 and destination port is 5060.
2. Customer response to the invite on tcp port 12345.
If tcp port 12345 is not open on my firewall then it is going to block that connection.
In the production environment firewall does not even let the TCP hand-shake to complete if 12345 is no open. |
|
| Back to top |
|
janP
Brekeke Master Guru
Joined: 25 Nov 2007
Posts: 336
|
| Posted: Fri Aug 30, 2019 11:46 am Post subject: |
|
|
What kind of SIP client is the customer using?
Does your Cisco Router Firewall close an outgoing TCP connection just after local entity sends a message over TCP? (If so, you can not access to a web from behind the router.)
According to the RFC3261
| Quote: |
If the "sent-protocol" is a reliable transport protocol such as
TCP or SCTP, or TLS over those, the response MUST be sent using
the existing connection to the source of the original request
that created the transaction, if that connection is still open. |
So your customer's SIP client must send a SIP response back over the same transport connection which the INVITE was received. |
|
| Back to top |
|
|
