Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3259
Views
0
Helpful
0
Replies

Extended ACL for SIP

qasimkhans8
Level 1
Level 1

‎08-06-2018 11:44 AM - edited ‎03-11-2019 01:47 AM

HI,

      I am trying to setup an ACL for SIP traffic. I have hosted SIP server over the internet and i have 2 IP Phones in the office. i receive ghost calls on my both IP Phones. i want to block all sip traffic coming to my network except between SIP server and both IP Phones. 

 

I setup the ACL  "acl_zero_ghost_call" when I enable it on LAN or WAN interface, Internet stop working.

I am running IP SLA on the router. Thanks.

 

here is my running config.

 


track 10 ip sla 1 reachability
delay down 10 up 10
!
track 20 ip sla 2 reachability
delay down 10 up 10
!
interface GigabitEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 70.88.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45

!
interface FastEthernet0/0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 70.88.x.x track 10
ip route 0.0.0.0 0.0.0.0 192.168.x.x 200
!
ip access-list extended acl_BackupISP
deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended acl_Comcast
deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended acl_ITCvpn
permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended acl_internet
deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended acl_zero_ghost_call
permit udp host 50.203.x.x any eq 5060
permit udp host 50.203.x.x any eq 10000 20000
permit udp host 96.70.x.x any eq 5060
permit udp host 96.70.x.x any eq 10000 20000
permit udp host 192.168.x.x any eq 5060
permit udp host 192.168.x.x any eq 10000 20000
deny udp any any eq 5060
deny udp any any eq 10000 20000
!
ip sla 1
icmp-echo 70.88.x.x source-interface GigabitEthernet0/1
threshold 1000
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet0/0/0
threshold 1000
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
!
route-map PBR permit 10
match ip address acl_Comcast
set ip next-hop verify-availability 70.88.x.x 1 track 10
!
route-map PBR permit 20
match ip address acl_BackupISP
set ip next-hop verify-availability 192.168.x.x 2 track 20
!
route-map ISP2 permit 20
match ip address acl_internet
match interface FastEthernet0/0/0
!
route-map ISP1 permit 10
match ip address acl_internet
match interface GigabitEthernet0/1

0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents