10-26-2018 04:34 AM - edited 03-08-2019 04:29 PM
Dear All,
I have VOIP PABX connected on my cisco firewall interface GigabitEthernet0/1.71 & LAN on GigabitEthernet0/1.101
So now i need to allow IP 197.84.140.140 , 196.28.95.12 with ports UDP Port 5060 UDP Port 16384 - 32767 & rest of the IP traffic should be block for VOIP interface only.
Please suggest command for same.
Firewall Model ASA5525
Version Device Manager Version 7.8(2)
Interface details
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 197.XX.XX.XX YES CONFIG up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/1.71 172.XX.XX.XX YES CONFIG up up
GigabitEthernet0/1.101 10.XX.XX.XX YES CONFIG up up
GigabitEthernet0/2 unassigned YES unset down down
10-26-2018 04:40 AM
This is good example guide to start with :
based on ASA version some syntax changes, but concept is same.
10-26-2018 05:18 AM
Dear Balaji,
I am just checking with post but unable to understand can you please suggest on commands how to enable multiple udp ports for particular IP by ACL??
10-26-2018 09:41 AM
Can you post your full configuration to suggest.
10-26-2018 10:45 PM
Dear Balaji,
I am just discussing this with my team & as PABX is connected of firewall interface fa0/3 so can we make one policy in to out , out to in bidirectional & call that policy in zone after that put that PABX interface in that zone.
Also can you please let me know is PABX allow ACL feature.?
Please find the scenario below i need to make source & destination policy .
Subnet 172.18.x.x is internal voip subnet
Traffic which i need to allow for destination IP (Out side network IP)
197.84.140.140 UDP Port 5060 UDP Port 16384 - 32767
196.28.95.12 UDP Port 5060 UDP Port 16384 - 32767
I need to make policy which allow traffic between 197.84.140.140 , 196.28.95.12 & 172.18.x.x including udp ports UDP Port 5060 UDP Port 16384 - 32767 or i can allow all to all ports for these subnet & call the PABX connected interface in to this policy
This is what my requirement can you please suggest me on this.
10-27-2018 07:50 AM
Since we have asked full configuration, you have not provided for us to review.
based on the information you have provided, we belive rest all in in place and you looking onlyACL
below example help you, tweak as per the your requirement.
object-group service PBX_Ports
port-object range 16384 32767
port-object eq 5060
object network inside_network
subnet 172.18.x.x 255.255.x.x
object network outside_network
host 197.84.140.140
host 196.28.95.12
access-list outside_access_in extended permit object-group outside_network any object inside_network eq PBX_Ports
access-list inside_access_out extended permit object-group inside_network any object outside_network eq PBX_Ports
Apply the access-list respected interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide