10-31-2016 11:12 AM - edited 03-05-2019 07:23 AM
Hi,
I want to apply an ACL on the WAN interface facing to ISP which is configured with a public IP. Our router model is 2921 ISR and we are also running sip trunk services on same router.
We have one Video conference endpoint device with Public IP nat to a private IP.
We also have one site to site ipsec vpn with a far site.
Our goal is to block unnecessary hits to our internal network from outside as we don't have any firewall on the edge so i want to achieve this through an ACL and need expert's help in this regards.
while blocking external traffic i want to allow specific public IPs which can dial to our video conference endpoint, we have public IPs on both ends.I also don't want to disturb vpn traffic and sip traffic for inbound and outbound calls.
ip access-list extended ExternalAccess
permit ip 212.16.178.169 0.0.0.3 37.56.78.33 0.0.0.3 ------ to allow far site video endpoint with complete pool
deny ip any 37.56.78.33 0.0.0.3
permit ip any any
int GigabitEthernet0/0
ip access-group ExternalAccess in
Thanks
Shahzad
10-31-2016 01:51 PM
Hello Shazad,
take a look at this post and the response form Karsten Iwen, he proposes a very efficient access list and optional inspection:
https://supportforums.cisco.com/discussion/11605286/access-lists-internet-router
11-02-2016 12:05 AM
Hi,
By putting "ip inspect" commands, it will match the session table, it means to allow somebody to dial our polycom from their side we have to first dial from our side to add them in session table, right?
Thanks
Shahzad
11-02-2016 01:34 AM
Hello Shahzad,
if you explicitly allow your Polycom traffic in both directions, it will not be inspected. So:
permit ip 212.16.178.169 0.0.0.3 37.56.78.33 0.0.0.3
will allow the traffic if initiated from the outside, and bypass inspection.
11-02-2016 04:46 AM
we also have ipsec site to site vpn with far site, what about that ?
Do i need to allow explicitly traffic from vpn peer in same ACL?
permit esp any any
permit udp any any eq isakmp
Thanks
Shahzad
11-02-2016 05:31 AM
Hello Shazad,
for VPN access, configure the following:
access-list 101 permit 50 any any
access-list 101 permit 51 any any
access-list 101 permit udp any eq 500 any eq 500
The 'any' can be replaced by the respective VPN peers.
11-02-2016 08:07 AM
Hi
Thanks for your support.
How does it impact memory of router if we don't put any timeout values because we will be having unlimited number of sessions established.
Thanks
Shahzad
11-02-2016 09:08 AM
Shahzad,
CBAC has default timeout values, so the number of established session is kept in check automatically. Have a look at this table for the relevant values:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1001343
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide