Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2475
Views
5
Helpful
7
Replies

ACL on WAN interface to block external access

Shahzad Ayub
Level 1
Level 1

‎10-31-2016 11:12 AM - edited ‎03-05-2019 07:23 AM

Hi,

I want to apply an ACL on the WAN interface facing to ISP which is configured with a public IP. Our router model is 2921 ISR and we are also running sip trunk services on same router.

We have one Video conference endpoint device with Public IP nat to a private IP.

We also have one site to site ipsec vpn with a far site.

Our goal is to block unnecessary hits to our internal network from outside as we don't have any firewall on the edge so i want to achieve this through an ACL and need expert's help in this regards.

while blocking external traffic i want to allow specific public IPs which can dial to our video conference endpoint, we have public IPs on both ends.I also don't want to disturb vpn traffic and sip traffic for inbound and outbound calls.

ip access-list extended ExternalAccess
permit ip 212.16.178.169 0.0.0.3 37.56.78.33 0.0.0.3 ------ to allow far site video endpoint with complete pool
deny ip any 37.56.78.33 0.0.0.3
permit ip any any

int GigabitEthernet0/0
ip access-group ExternalAccess in

Thanks

Shahzad

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎10-31-2016 01:51 PM

Hello Shazad,

take a look at this post and the response form Karsten Iwen, he proposes a very efficient access list and optional inspection:

https://supportforums.cisco.com/discussion/11605286/access-lists-internet-router

0 Helpful

Shahzad Ayub
Level 1
Level 1
In response to Georg Pauwen

‎11-02-2016 12:05 AM

Hi,

By putting "ip inspect" commands, it will match the session table, it means to allow somebody to dial our polycom from their side we have to first dial from our side to add them in session table, right?

Thanks

Shahzad

0 Helpful

Georg Pauwen
VIP
VIP
In response to Shahzad Ayub

‎11-02-2016 01:34 AM

Hello Shahzad,

if you explicitly allow your Polycom traffic in both directions, it will not be inspected. So:

permit ip 212.16.178.169 0.0.0.3 37.56.78.33 0.0.0.3

will allow the traffic if initiated from the outside, and bypass inspection.

Shahzad Ayub
Level 1
Level 1
In response to Georg Pauwen

‎11-02-2016 04:46 AM

we also have ipsec site to site vpn with far site, what about that ?

Do i need to allow explicitly traffic from vpn peer in same ACL?

permit esp any any
permit udp any any eq isakmp

Thanks

Shahzad

0 Helpful

Georg Pauwen
VIP
VIP
In response to Shahzad Ayub

‎11-02-2016 05:31 AM

Hello Shazad,

for VPN access, configure the following:

access-list 101 permit 50 any any
access-list 101 permit 51 any any
access-list 101 permit udp any eq 500 any eq 500

The 'any' can be replaced by the respective VPN peers.

0 Helpful

Shahzad Ayub
Level 1
Level 1
In response to Georg Pauwen

‎11-02-2016 08:07 AM

Hi 

Thanks for your support.

How does it impact memory of router if we don't put any timeout values because we will be having unlimited number of sessions established.

Thanks

Shahzad

0 Helpful

Georg Pauwen
VIP
VIP
In response to Shahzad Ayub

‎11-02-2016 09:08 AM

Shahzad,

CBAC has default timeout values, so the number of established session is kept in check automatically. Have a look at this table for the relevant values:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html#wp1001343

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card