Solved: Re: Block Everything On WAN but the sip VOIP company

alexten1983 · ‎10-23-2019

I want to block everything on my wan port all ports and Ip addresses but this

ports 5060-5080 should be allowed in order to properly communicate with the servers. Users experiencing audio issues may want to check that RTP audio is not blocked by their firewall configuration:

IP addresses/Networks

204.11.192.0/24

OR

204.11.192.0 - 204.11.192.255

66.193.176.35
66.193.176.54
66.193.176.58

Additionally, you may, but don't need to, specify the following hostnames

ns1.telengy.net
ns2.telengy.net
msw1.telengy.net
msw2.telengy.net

I'm using the 2821 router with cme 8.5 how would I go about it?

Chris Deren · ‎10-29-2019

Your configuration allows All UDP and TCP traffic in and out from hosts 66.193.176.35, 66.193.176.54, 66.193.176.58 and subnet 204.11.192.0/24. If that is what you wanted after all, then it is correct. If you need to restrict it to specific ports only then you'll need to further tweak your rules to include only those ports.

View solution in original post

Chris Deren · ‎10-24-2019

Create access list that permits only the desired IPs and port followed by explicit deny all at the bottom of the list. Then apply this access list to your WAN interface.

alexten1983 · ‎10-24-2019

How would a command look like with ip and a subnet in the list?

access-list 100 permit tcp 204.11.192.0 255.255.255.0 eq 5060 (Can I do range of ports or do I need to type them all out?)

access-list 100 deny ip any any

Chris Deren · ‎10-24-2019

You can do ranges, here is an example. You also do not to have deny all at the end as all ACL have explosive deny at the end:

ip access-list extended qos-VOICE-BEARER
 permit udp any range 16384 32767 any dscp ef

alexten1983 · ‎10-24-2019

If it's not too hard can you show an example with an IP subnet and a port range?

Thank You!

alexten1983 · ‎10-28-2019

Does this look right?

ip access-list extended 100

permit udp host 66.193.176.35 eq 1719 any
permit tcp host 66.193.176.35 eq 1720 any
permit tcp host 66.193.176.35 range 11000 11999 any
permit udp host 66.193.176.35 range 5060 5080 any
permit tcp host 66.193.176.35 range 2000 2002 any
permit udp host 66.193.176.35 eq 5061 any

permit udp host 66.193.176.54 eq 1719 any
permit tcp host 66.193.176.54 eq 1720 any
permit tcp host 66.193.176.54 range 11000 11999 any
permit udp host 66.193.176.54 range 5060 5080 any
permit tcp host 66.193.176.54 range 2000 2002 any
permit udp host 66.193.176.54 eq 5061 any

permit udp host 66.193.176.58 eq 1719 any
permit tcp host 66.193.176.58 eq 1720 any
permit tcp host 66.193.176.58 range 11000 11999 any
permit udp host 66.193.176.58 range 5060 5080 any
permit tcp host 66.193.176.58 range 2000 2002 any
permit udp host 66.193.176.58 eq 5061 any

permit udp 204.11.192.0 255.255.255.0 eq 1719 any
permit tcp 204.11.192.0 255.255.255.0 eq 1720 any
permit tcp 204.11.192.0 255.255.255.0 range 11000 11999 any
permit udp 204.11.192.0 255.255.255.0 range 5060 5080 any
permit tcp 204.11.192.0 255.255.255.0 range 2000 2002 any
permit udp 204.11.192.0 255.255.255.0 eq 5061 any

deny ip any any

alexten1983 · ‎10-28-2019

The only thing is when I do sh access-list i get

Extended IP access list 100
10 permit udp host 66.193.176.35 eq 1719 any
20 permit tcp host 66.193.176.35 eq 1720 any
30 permit tcp host 66.193.176.35 range 11000 11999 any
40 permit udp host 66.193.176.35 range 5060 5080 any
50 permit tcp host 66.193.176.35 range 2000 2002 any
60 permit udp host 66.193.176.35 eq 5061 any
70 permit udp host 66.193.176.54 eq 1719 any
80 permit tcp host 66.193.176.54 eq 1720 any
90 permit tcp host 66.193.176.54 range 11000 11999 any
100 permit udp host 66.193.176.54 range 5060 5080 any
110 permit tcp host 66.193.176.54 range 2000 2002 any
120 permit udp host 66.193.176.54 eq 5061 any
130 permit udp host 66.193.176.58 eq 1719 any
140 permit tcp host 66.193.176.58 eq 1720 any
150 permit tcp host 66.193.176.58 range 11000 11999 any
160 permit udp host 66.193.176.58 range 5060 5080 any
170 permit tcp host 66.193.176.58 range 2000 2002 any
180 permit udp host 66.193.176.58 eq 5061 any
190 permit udp 0.0.0.0 255.255.255.0 eq 1719 any
200 permit tcp 0.0.0.0 255.255.255.0 eq 1720 any
210 permit tcp 0.0.0.0 255.255.255.0 range 11000 11999 any
220 permit udp 0.0.0.0 255.255.255.0 range 5060 5080 any
230 permit tcp 0.0.0.0 255.255.255.0 range 2000 2002 any
240 permit udp 0.0.0.0 255.255.255.0 eq 5061 any
250 deny ip any any

Why in 190 it shows up as 0.0.0.0?

alexten1983 · ‎10-28-2019

I think I found out why it should be

permit udp 204.11.192.0 0.0.0.255 eq 1719 any

alexten1983 · ‎10-28-2019

I have a new problem now. Ones I do that acl I get one-way audio. So I made it more simple

Extended IP access list 100
10 permit ip host 66.193.176.35 any
20 permit ip host 66.193.176.54 any
30 permit ip host 66.193.176.58 any
40 permit ip 204.11.192.0 0.0.0.255 any
50 deny ip any any

And I still get one-way audio

what can be the problem?

Chris Deren · ‎10-28-2019

Your ACL defines only the source host but not destination, you need to make sure you allow the reverse traffic to be trusted as well. Here is good doc on writing ACLs:

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

alexten1983 · ‎10-28-2019

Yeah, that's the link I was going off to try to get this going and to understand it. You say I don't have a destination but my destination is any. The point of all this is to only allow IP's that I know of to the whole router and deny all other. and with this config, I get one-way audio.

Extended IP access list 100
10 permit ip host 66.193.176.35 any
20 permit ip host 66.193.176.54 any
30 permit ip host 66.193.176.58 any
40 permit ip 204.11.192.0 0.0.0.255 any
50 deny ip any any

alexten1983 · ‎10-28-2019

Or when I do this

interface GigabitEthernet0/1
ip address (Publick Ip) 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

Extended IP access list 100
10 deny tcp any eq www any (2 matches)
20 deny tcp any eq telnet any
30 permit ip any any (124744 matches)

I'm able to telnet and get to the web interface and when I use a site to scan my ports from outside it shows that they are open.

Chris Deren · ‎10-28-2019

What are the 66.x.x.x addresses? Are these interfaces on your router?

Can you specify what are you planning on blocking, and it from this router out to to this router from outside? This will determine what your source needs to be and if you apply it as IN or OUT on the WAN interface.

alexten1983 · ‎10-28-2019

So let's say I want to block www and telnet and let all other in.

alexten1983 · ‎10-28-2019

I did this and the audio is working just want to make sure that its blocking everything other then whats in the list please let me know if that looks good.

xtended IP access list 199
10 permit tcp host 66.193.176.35 any
20 permit udp host 66.193.176.35 any
30 permit tcp host 66.193.176.54 any
40 permit udp host 66.193.176.54 any
50 permit tcp host 66.193.176.58 any
60 permit udp host 66.193.176.58 any
70 permit tcp 204.11.192.0 0.0.0.255 any
80 permit udp 204.11.192.0 0.0.0.255 any (12242 matches)
90 permit tcp any host 66.193.176.35
100 permit udp any host 66.193.176.35
110 permit tcp any host 66.193.176.54
120 permit udp any host 66.193.176.54
130 permit tcp any host 66.193.176.58
140 permit udp any host 66.193.176.58
150 permit tcp any 204.11.192.0 0.0.0.255
160 permit udp any 204.11.192.0 0.0.0.255
170 deny ip any any (20 matches)