09-25-2018 09:34 AM - edited 03-17-2019 01:31 PM
Hello,
I'm probably overlooking something here but I have a urgent need for blocking outside traffic to hairpin to a CME 12 router (ISR4331 with IOS 16). Since yesterday our provider notified us that we have a breach on this box that is being used to dial out to toll numbers. We only use IP Phones 88xx SIP and Dial in/out via a SIP trunk.ollaboration
I'm trying to build an extended ACL that I can use to block traffic on the WAN interface. The issue is that this router is also used as a normal internet router for that branch and therefore runs NAT. ollaborat
Is there any way of adding something like below to the "outside" interface of the NAT ? :
object-group network ISP-addresses
host 1.2.3.4
host 1.2.3.5
host 1.2.3.6
ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any
permit ip any any
09-25-2018 04:53 PM
why the permit up any any at the end?
why not doL
ip access-list extended SIP-INBOUND
permit tcp object-group ISP-addresses any eq 5061
permit tcp object-group ISP-addresses any eq 5060
permit udp object-group ISP-addresses any eq 5060
permit tcp object-group ISP-addresses eq 5060 any
permit tcp object-group ISP-addresses eq 5061 any
permit udp object-group ISP-addresses eq 5060 any
deny tcp any eq 5060 any
deny tcp any eq 5061 any
permit ip any any
permit ip any any
09-26-2018 12:11 AM
Hello Dennis,
Thank you for your reply, I think I haven't been really clear on what the issue is.
Because this router is running nat when I apply the ACL to the WAN interface
everything stops working. it does have the "ip nat inside source list ACL-NAME interface GigabitEthernet 0/0/0 overload" active.
I cant figure out how to apply the ACL for incoming requests.
09-26-2018 07:33 AM
09-26-2018 07:38 AM - edited 09-26-2018 07:40 AM
Hello Asfal,
Thank you for your reply we have a trusted list in place for the trunk, this is not the issue. the issue is that I need to secure the WAN interface to not allow SIP registers outside of our LAN. On the trusted list is also just our internal IP range + Provider but they still mange to connect to the CME externally.
09-26-2018 12:46 PM
09-26-2018 12:55 PM
Thanks nipun,
But the box is a 4331 not really willing to run Copp on it.
09-26-2018 12:58 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide