Solved: Guidance on modifying an ACL

Kevin Hamilton · ‎08-10-2018

Hello and happy weekend,

I have 4 VoIP hosts on the 7.7.7.0 subnet. I only want them to talk to the upstream trunk server at 1.1.1.1 on port 5060 and the ACL (VERSION 1) below seems to work well. However, now we are getting some DOS attacks against the 4 VoIP hosts on other ports from random various IPs. So I need to block all traffic bound for the 4 VoIP hosts except port 5060 from 1.1.1.1, and not affect traffic bound for other hosts on the 7.7.7.0 subnet. Can I accomplish my goal with ACL VERSION 2? Any suggestions to modify the ACL below would be greatly appreciated.

Thanks Kevin.

VERSION 1:

access-list 101 permit udp host 1.1.1.1 host 7.7.7.7 eq 5060
access-list 101 permit udp host 1.1.1.1 host 7.7.7.8 eq 5060
access-list 101 permit udp host 1.1.1.1 host 7.7.7.9 eq 5060
access-list 101 permit udp host 1.1.1.1 host 7.7.7.10 eq 5060

access-list 101 deny udp any host 7.7.7.7 eq 5060
access-list 101 deny udp any host 7.7.7.8 eq 5060
access-list 101 deny udp any host 7.7.7.9 eq 5060
access-list 101 deny udp any host 7.7.7.10 eq 5060

access-list 101 permit ip any any

VERSION 2:

access-list 101 permit udp host 1.1.1.1 host 7.7.7.7 eq 5060
access-list 101 permit udp host 1.1.1.1 host 7.7.7.8 eq 5060
access-list 101 permit udp host 1.1.1.1 host 7.7.7.9 eq 5060
access-list 101 permit udp host 1.1.1.1 host 7.7.7.10 eq 5060

#### First four lines explicitly allow traffic to my VoIP hosts.

access-list 101 deny udp any host 7.7.7.7
access-list 101 deny udp any host 7.7.7.8
access-list 101 deny udp any host 7.7.7.9
access-list 101 deny udp any host 7.7.7.10

#### Next four lines explicitly deny all UDP traffic to my VoIP hosts. Do I also have to specify TCP as well?

access-list 101 permit ip any any

#### This line allows all other traffic to all other hosts.

Correct?

Richard Burts · ‎08-12-2018

Kevin

Perhaps Julio sees something differently than I do or understands something differently. But I do not agree with his statement that your proposed second ACL should work to accomplish what you want. I go back to your statement in the original post of what you need to accomplish "So I need to block all traffic bound for the 4 VoIP hosts except port 5060 from 1.1.1.1" Your proposed change in the ACL will block UDP but not any other type of IP traffic (not tcp, not icmp, not IPSEC, etc). I would suggest that changing the deny statements as I will suggest would accomplish your goal

access-list 101 deny ip any host 7.7.7.7
access-list 101 deny ip any host 7.7.7.8
access-list 101 deny ip any host 7.7.7.9
access-list 101 deny ip any host 7.7.7.10

HTH

Rick

HTH

Rick

View solution in original post

Julio E. Moisa · ‎08-11-2018

Hi,

Yes it will work. Just verify if you need to open other UDP ports.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Kevin Hamilton · ‎08-13-2018

Hi Julio,
Thank you for confirming my idea.
Kevin

Richard Burts · ‎08-12-2018

Kevin

Perhaps Julio sees something differently than I do or understands something differently. But I do not agree with his statement that your proposed second ACL should work to accomplish what you want. I go back to your statement in the original post of what you need to accomplish "So I need to block all traffic bound for the 4 VoIP hosts except port 5060 from 1.1.1.1" Your proposed change in the ACL will block UDP but not any other type of IP traffic (not tcp, not icmp, not IPSEC, etc). I would suggest that changing the deny statements as I will suggest would accomplish your goal

access-list 101 deny ip any host 7.7.7.7
access-list 101 deny ip any host 7.7.7.8
access-list 101 deny ip any host 7.7.7.9
access-list 101 deny ip any host 7.7.7.10

HTH

Rick

HTH

Rick

Kevin Hamilton · ‎08-13-2018

Hi Rick,
After I posted my question I realized that just blocking UDP would not solve my problem. Thank you for further clarifying my issue and listing the required statements.
Kevin

Kevin Hamilton · ‎08-13-2018

Hi Rick,

I have a follow-on question. I'm thinking I should insert the new deny statements at lines 55, 65, 75 and 85, then remove the old deny statements at 50, 60, 70 and 80. Does that sound like a reasonable plan?

Thanks,

Kevin

10 access-list 101 permit udp host 1.1.1.1 host 7.7.7.7 eq 5060
20 access-list 101 permit udp host 1.1.1.1 host 7.7.7.8 eq 5060
30 access-list 101 permit udp host 1.1.1.1 host 7.7.7.9 eq 5060
40 access-list 101 permit udp host 1.1.1.1 host 7.7.7.10 eq 5060

50 access-list 101 deny udp any host 7.7.7.7 eq 5060
60 access-list 101 deny udp any host 7.7.7.8 eq 5060
70 access-list 101 deny udp any host 7.7.7.9 eq 5060
80 access-list 101 deny udp any host 7.7.7.10 eq 5060

90 access-list 101 permit ip any any

Richard Burts · ‎08-13-2018

Kevin

Yes what you suggest would be a good way to change the ACL. The important thing is that the individual deny statements should come after the corresponding permit statements for individual hosts and come before the permit ip any any. Your approach would achieve this nicely.

HTH

Rick

HTH

Rick