Solved: I was confused utill I saw

darren.g · ‎12-06-2015

I'm embarrassed to have to ask this, but it's been so long since I have actually had to write an access list, I'm doubting myself.

I have a 800 series router running IOS 12.4 which is used by a small business I occasionally do work for. The business has a /24 of live (non RFC1918) IPv4 addresses inside it which is used for numerous devices, which is delivered via ethernet from an ISP NTU.

Most of them are secure enough that I don't worry about them, but they've just added a VoIP phone gateway which is completely insecure - beyond a password on the management interface - and even that is HTTP only (not even HTTPS).

I want to put an access restriction on the interface which plugs into the ISP NTU to block everything except the authorised SIP host from connecting to the gateway - I know it's not perfect, but it's better than what is there now - while not interrupting access to any other devices.

I've so far got this (Interface F4 is the incoming link from the ISP NTU)

access-list 101 remark Blocks anything but SIP to Phone gateway
access-list 101 permit ip host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY
access-list 101 deny ip any host YYY.YYY.YYY.YYY
access-list 101 permit ip any any

interface F4

ip access-group 101 in

Will this permit only conenctions from XXX.XXX.XXX.XXX to the internal host YYY.YYY.YYY.YYY, and allow unfettered access to any other IP address on the inside? Or have I missed something?

Thanks.

Masoud Pourshabanian · ‎12-06-2015

Hello,

Your access-list is correct.

access-list 101 permit ip host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY

it permits host XX to access host YY

***************************

access-list 101 deny ip any host YYY.YYY.YYY.YYY

It denies others to access YY

***************************
access-list 101 permit ip any any

It permits every other access to your other hosts.

************************

interface F4

ip access-group 101 in

It controls traffic comming from ISP to your network.

Masoud

View solution in original post

Masoud Pourshabanian · ‎12-06-2015

Hello,

Your access-list is correct.

access-list 101 permit ip host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY

it permits host XX to access host YY

***************************

access-list 101 deny ip any host YYY.YYY.YYY.YYY

It denies others to access YY

***************************
access-list 101 permit ip any any

It permits every other access to your other hosts.

************************

interface F4

ip access-group 101 in

It controls traffic comming from ISP to your network.

Masoud

darren.g · ‎12-06-2015

Thank you Sir. Appreciate the response, and glad my memory isn't as bad as I thought it was!

Masoud Pourshabanian · ‎12-06-2015

You are very welcome. You can also be more strict.

access-list 101 permit udp host XX host YY eq 5060

access-list 101 permit udp host XX host YY eq 5061

access-list 101 deny ip any host YYY.YYY.YYY.YYY log [in case of facing problem in connection]

access-list 101 permit ip any any

Please check the link below. It thought it might be helpful.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_protocol_cbac_fw/configuration/12-4t/sec-prot-cbac-fw-12-4t-book/sec-prot-fw-sup-sip.html

Masoud

darren.g · ‎12-06-2015

Don't really need to be stricter - but for some reason, this is not triggering on thaffic to the specific host concerned, and I can't figure out why.

show access-lists

Extended IP access list 101
    10 permit ip host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY
    20 deny ip any host YYY.YYY.YYY.YYY
    30 permit ip any any (58 matches)

the access list is plainly being processed (the matches on the third statement show that), yet I can still access the restricted IP address from a non-permitted host.

Can you shed any light?

Edit : No matter. Made it work. Applied it to the wrong interface by mistake. Doh! Thanks again!

Masoud Pourshabanian · ‎12-06-2015

I was confused utill I saw your last sentense. Is it working now?

Masoud

Access lists - sanity check?