Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
5
Replies

VCS Expressway firewall protection not taking effect

ccg-collab1
Level 2
Level 2

‎05-23-2017 03:14 AM - edited ‎03-13-2019 09:54 PM

I'm having difficulty on the usage of firewall protection of VCS Expressway. We need to block public connection on accessing SSH and HTTPS ports of our VCS E and allow only 2-3 IP Addresses.

Hoping for a help.

Labels:
0 Helpful
5 Replies 5

Patrick Sparkman
VIP Alumni
VIP Alumni

‎05-23-2017 10:59 AM

What are you having difficulty understanding, it's pretty straight forward to configure.  You define a range of IPs by specifying an IP/Prefix, select the service you want to block (for example: HTTPS or SSH admin), then select the action you want to apply (allow, drop, or reject) if they match any IP in the chosen range using the selected service.  Once you have your rules configured, you need to activate the firewall rules.  Rules with the highest priority will be applied first, so be sure to have all of your allow rules appear first before your deny rules.

If you want to specify a single IP address, use a prefix length of 32.

0 Helpful

ccg-collab1
Level 2
Level 2
In response to Patrick Sparkman

‎05-23-2017 06:03 PM

Hi Patrick, Yes it is. We already configured IP Addresses that needs to be allowed however, how can we block all other public IP Addresses on accessing the VCS E https? Please advise your recommended reconfiguration on it.

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to ccg-collab1

‎05-23-2017 08:54 PM

I'm not a network expect, but possibly an IP of 255.255.255.255 with a subnet length of 0, the address range will be 0.0.0.0 - 255.255.255.255.  Remember, any deny or reject rule should have a low priority, below any allow rule.

Ideally you should configure your network firewall to allow and block incoming traffic from the public internet to your VCS-E, rather than the VCS' internal firewall.

0 Helpful

ccg-collab1
Level 2
Level 2
In response to Patrick Sparkman

‎05-23-2017 10:28 PM

Hi Patrick,

Already done that before posted here in Cisco Community but unsuccessful. Our challenge from the firewall side is that the end user support team is not aware of their setup on how the connection of our VCS E on the network which is the reason, we are trying to adjust from VCS E side.

Have you ever tried to test the automated detection instead?

0 Helpful

Patrick Sparkman
VIP Alumni
VIP Alumni
In response to ccg-collab1

‎05-24-2017 04:44 PM

No, never used the firewall protection or automated detection features of the VCS.

0 Helpful
Customers Also Viewed These Support Documents