Hi,

I am having trouble implimenting an ACL to block TCP and UDP traffic on outbound ports 5060-5070.  The effect is that all outbound traffic is blocked, but I don't see why this is happening.  I appeciate your help in advance!

This is on a Cisco router 1921/K9 V05.

There is a current ACL in place that blocks traffic between the VLANs except it allows traffic to VLAN9.  It is a Standard type rule and looks like this:

access-list 12 remark This rule allows machines to access VLAN9, but blocks all others

access-list 12 remark CCP_ACL Category=17

access-list 12 permit 192.168.9.0 0.0.0.255

access-list 12 deny   192.168.0.0 0.0.255.255

access-list 12 permit any

The new rule has to have this same functionality as above, but I believe it has to be written in the Extended format in order to also include port-level traffic control. I wrote this in the Extended format:

ip access-list extended TenantAccess1
remark CCP_ACL Category=16
permit ip any 192.168.9.0 0.0.0.255
deny   ip any 192.168.0.0 0.0.255.255
remark Block SIP VOIP out
deny   udp any any range 5060 5070
deny   tcp any any range 5060 5070
permit ip any any

When I apply it to the interface it blocks all outbound traffic, but I don't see why.  Here's an interface config:

interface GigabitEthernet0/0.18
encapsulation dot1Q 18
ip address 192.168.18.1 255.255.255.0
ip access-group TenantAccess1 out
ip nat inside
ip virtual-reassembly in

The old interface configuration was:

interface GigabitEthernet0/0.18
encapsulation dot1Q 18
ip address 192.168.18.1 255.255.255.0
ip access-group 12 out
ip nat inside
ip virtual-reassembly in

Your help is greately appreciated