10-23-2019 10:22 AM - edited 10-23-2019 10:39 AM
I want to block everything on my wan port all ports and Ip addresses but this
ports 5060-5080 should be allowed in order to properly communicate with the servers. Users experiencing audio issues may want to check that RTP audio is not blocked by their firewall configuration:
IP addresses/Networks
204.11.192.0/24
OR
204.11.192.0 - 204.11.192.255
66.193.176.35
66.193.176.54
66.193.176.58
Additionally, you may, but don't need to, specify the following hostnames
ns1.telengy.net
ns2.telengy.net
msw1.telengy.net
msw2.telengy.net
I'm using the 2821 router with cme 8.5 how would I go about it?
Solved! Go to Solution.
10-29-2019 06:01 AM
Your configuration allows All UDP and TCP traffic in and out from hosts 66.193.176.35, 66.193.176.54, 66.193.176.58 and subnet 204.11.192.0/24. If that is what you wanted after all, then it is correct. If you need to restrict it to specific ports only then you'll need to further tweak your rules to include only those ports.
10-24-2019 06:42 AM
Create access list that permits only the desired IPs and port followed by explicit deny all at the bottom of the list. Then apply this access list to your WAN interface.
10-24-2019 04:20 PM
How would a command look like with ip and a subnet in the list?
access-list 100 permit tcp 204.11.192.0 255.255.255.0 eq 5060 (Can I do range of ports or do I need to type them all out?)
access-list 100 deny ip any any
10-24-2019 05:53 PM
You can do ranges, here is an example. You also do not to have deny all at the end as all ACL have explosive deny at the end:
ip access-list extended qos-VOICE-BEARER permit udp any range 16384 32767 any dscp ef
10-24-2019 07:39 PM
If it's not too hard can you show an example with an IP subnet and a port range?
Thank You!
10-28-2019 06:53 AM - edited 10-28-2019 07:11 AM
Does this look right?
ip access-list extended 100
permit udp host 66.193.176.35 eq 1719 any
permit tcp host 66.193.176.35 eq 1720 any
permit tcp host 66.193.176.35 range 11000 11999 any
permit udp host 66.193.176.35 range 5060 5080 any
permit tcp host 66.193.176.35 range 2000 2002 any
permit udp host 66.193.176.35 eq 5061 any
permit udp host 66.193.176.54 eq 1719 any
permit tcp host 66.193.176.54 eq 1720 any
permit tcp host 66.193.176.54 range 11000 11999 any
permit udp host 66.193.176.54 range 5060 5080 any
permit tcp host 66.193.176.54 range 2000 2002 any
permit udp host 66.193.176.54 eq 5061 any
permit udp host 66.193.176.58 eq 1719 any
permit tcp host 66.193.176.58 eq 1720 any
permit tcp host 66.193.176.58 range 11000 11999 any
permit udp host 66.193.176.58 range 5060 5080 any
permit tcp host 66.193.176.58 range 2000 2002 any
permit udp host 66.193.176.58 eq 5061 any
permit udp 204.11.192.0 255.255.255.0 eq 1719 any
permit tcp 204.11.192.0 255.255.255.0 eq 1720 any
permit tcp 204.11.192.0 255.255.255.0 range 11000 11999 any
permit udp 204.11.192.0 255.255.255.0 range 5060 5080 any
permit tcp 204.11.192.0 255.255.255.0 range 2000 2002 any
permit udp 204.11.192.0 255.255.255.0 eq 5061 any
deny ip any any
10-28-2019 07:18 AM
The only thing is when I do sh access-list i get
Extended IP access list 100
10 permit udp host 66.193.176.35 eq 1719 any
20 permit tcp host 66.193.176.35 eq 1720 any
30 permit tcp host 66.193.176.35 range 11000 11999 any
40 permit udp host 66.193.176.35 range 5060 5080 any
50 permit tcp host 66.193.176.35 range 2000 2002 any
60 permit udp host 66.193.176.35 eq 5061 any
70 permit udp host 66.193.176.54 eq 1719 any
80 permit tcp host 66.193.176.54 eq 1720 any
90 permit tcp host 66.193.176.54 range 11000 11999 any
100 permit udp host 66.193.176.54 range 5060 5080 any
110 permit tcp host 66.193.176.54 range 2000 2002 any
120 permit udp host 66.193.176.54 eq 5061 any
130 permit udp host 66.193.176.58 eq 1719 any
140 permit tcp host 66.193.176.58 eq 1720 any
150 permit tcp host 66.193.176.58 range 11000 11999 any
160 permit udp host 66.193.176.58 range 5060 5080 any
170 permit tcp host 66.193.176.58 range 2000 2002 any
180 permit udp host 66.193.176.58 eq 5061 any
190 permit udp 0.0.0.0 255.255.255.0 eq 1719 any
200 permit tcp 0.0.0.0 255.255.255.0 eq 1720 any
210 permit tcp 0.0.0.0 255.255.255.0 range 11000 11999 any
220 permit udp 0.0.0.0 255.255.255.0 range 5060 5080 any
230 permit tcp 0.0.0.0 255.255.255.0 range 2000 2002 any
240 permit udp 0.0.0.0 255.255.255.0 eq 5061 any
250 deny ip any any
Why in 190 it shows up as 0.0.0.0?
10-28-2019 08:06 AM
I think I found out why it should be
permit udp 204.11.192.0 0.0.0.255 eq 1719 any
10-28-2019 08:26 AM
I have a new problem now. Ones I do that acl I get one-way audio. So I made it more simple
Extended IP access list 100
10 permit ip host 66.193.176.35 any
20 permit ip host 66.193.176.54 any
30 permit ip host 66.193.176.58 any
40 permit ip 204.11.192.0 0.0.0.255 any
50 deny ip any any
And I still get one-way audio
what can be the problem?
10-28-2019 09:04 AM
Your ACL defines only the source host but not destination, you need to make sure you allow the reverse traffic to be trusted as well. Here is good doc on writing ACLs:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
10-28-2019 09:24 AM - edited 10-28-2019 09:24 AM
Yeah, that's the link I was going off to try to get this going and to understand it. You say I don't have a destination but my destination is any. The point of all this is to only allow IP's that I know of to the whole router and deny all other. and with this config, I get one-way audio.
Extended IP access list 100
10 permit ip host 66.193.176.35 any
20 permit ip host 66.193.176.54 any
30 permit ip host 66.193.176.58 any
40 permit ip 204.11.192.0 0.0.0.255 any
50 deny ip any any
10-28-2019 10:05 AM
Or when I do this
interface GigabitEthernet0/1
ip address (Publick Ip) 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
Extended IP access list 100
10 deny tcp any eq www any (2 matches)
20 deny tcp any eq telnet any
30 permit ip any any (124744 matches)
I'm able to telnet and get to the web interface and when I use a site to scan my ports from outside it shows that they are open.
10-28-2019 10:11 AM
What are the 66.x.x.x addresses? Are these interfaces on your router?
Can you specify what are you planning on blocking, and it from this router out to to this router from outside? This will determine what your source needs to be and if you apply it as IN or OUT on the WAN interface.
10-28-2019 10:59 AM
So let's say I want to block www and telnet and let all other in.
10-28-2019 11:59 AM
I did this and the audio is working just want to make sure that its blocking everything other then whats in the list please let me know if that looks good.
xtended IP access list 199
10 permit tcp host 66.193.176.35 any
20 permit udp host 66.193.176.35 any
30 permit tcp host 66.193.176.54 any
40 permit udp host 66.193.176.54 any
50 permit tcp host 66.193.176.58 any
60 permit udp host 66.193.176.58 any
70 permit tcp 204.11.192.0 0.0.0.255 any
80 permit udp 204.11.192.0 0.0.0.255 any (12242 matches)
90 permit tcp any host 66.193.176.35
100 permit udp any host 66.193.176.35
110 permit tcp any host 66.193.176.54
120 permit udp any host 66.193.176.54
130 permit tcp any host 66.193.176.58
140 permit udp any host 66.193.176.58
150 permit tcp any 204.11.192.0 0.0.0.255
160 permit udp any 204.11.192.0 0.0.0.255
170 deny ip any any (20 matches)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide