Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1440
Views
0
Helpful
3
Replies

CME and Voip Access list to prevent tool fraud question

etmarcof
Level 3
Level 3

‎09-02-2009 06:25 AM - edited ‎03-15-2019 07:35 PM

Hi,

I have CME and internet access on same 2821 IOS 12.4.24T1. So i have configured following ACL in dialer 0 interface.

access-list 102 remark +++ Block IN Internet VOIP Traffic +++

access-list 102 deny tcp any host X.X.X.X eq 5060

access-list 102 deny udp any host X.X.X.X eq 5060

access-list 102 deny tcp any host X.X.X.X eq 5061

access-list 102 deny udp any host X.X.X.X eq 5061

access-list 102 deny tcp any host X.X.X.X eq 1720

access-list 102 deny tcp any host X.X.X.X eq 1719

access-list 102 deny tcp any host X.X.X.X eq 1718

access-list 102 deny tcp any host X.X.X.X eq 2000

access-list 102 deny udp any host X.X.X.X eq 2000

access-list 102 deny udp any any eq snmp

access-list 102 deny udp any any eq snmptrap

access-list 102 permit ip any any

Where X.X.X.X is the public ip address of my internet connection.

When i telnet to this ip address in port 5060 (or 5061,or 2000,or 1718,or 1719) for exemple connection is refused but when i do a telnet for 1720 i receive a black screen so connection is accepted.

Any ideas why this is happenning or what i have to configure more?

Best Regards

MC

Labels:
0 Helpful
3 Replies 3

Nicholas Matthews
Level 9
Level 9

‎09-02-2009 12:06 PM

For what it's worth, this is my template which matches pretty close:

access-list 101 remark **** SIP CUSTOMERS ****

access-list 101 permit udp host x.x.x.x any eq 5060

access-list 101 permit tcp host x.x.x.x any eq 5060

access-list 101 remark **** H323 CUSTOMERS ****

access-list 101 permit udp host x.x.x.x any eq 1720

access-list 101 permit udp host x.x.x.x any eq 1719

access-list 101 permit udp host x.x.x.x any eq 1718

access-list 101 permit tcp host x.x.x.x any eq 1720

access-list 101 permit tcp host x.x.x.x any eq 1719

access-list 101 permit tcp host x.x.x.x any eq 1718

access-list 101 remote **** DENY ALL ELSE ****

access-list 101 deny udp any any eq 1720

access-list 101 deny udp any any eq 1719

access-list 101 deny udp any any eq 1718

access-list 101 deny tcp any any eq 1720

access-list 101 deny tcp any any eq 1719

access-list 101 deny tcp any any eq 1718

access-list 101 deny udp any any eq 5060

access-list 101 deny tcp any any eq 5060

access-list 101 remark **** NOW PERMIT ALL ****

access-list 101 permit ip any any

I don't see any reason why you should be able to telnet to 1720. Are you sure it's not just a black screen that isn't connecting?

-nick

0 Helpful

etmarcof
Level 3
Level 3
In response to Nicholas Matthews

‎09-03-2009 12:50 PM

Hi Nick,

For the other ports i get refused connection when i try to telnet using that ports but for port 1720 like i said appears a black screen, how could i check in router if session is established?

Thanks

Best Regards

MC

0 Helpful

Nicholas Matthews
Level 9
Level 9
In response to etmarcof

‎09-08-2009 07:53 AM

You can try 'show tcp brief' to see if there is a session open. 'show tcp detail' may also be helpful.

-nick

0 Helpful
Customers Also Viewed These Support Documents