Block VoIP traffic by ACL

wmmak · ‎01-01-2005

Dear all,

If I want to block VoIP traffic by ACL on router, then is the following correct and enough?

access-list 100 deny udp any any range 16384 32767

access-list 100 deny tcp any any eq 1720

Thanks

mak

mr_mit2000 · ‎01-02-2005

Hi mak

As i know we can change h.323 1720 port to another port also

Mithilesh

marckhayat · ‎01-03-2005

Hey all,

not only you can change the port of h.323 signaling, but also the voice call ports...

i'll think of something and try to get back to u :)

Good luck!!!

wmmak · ‎01-03-2005

BTW what is the source address of voip packet, is it the router loopback or interface address? can I change it?

mak

marckhayat · ‎01-04-2005

Hi Mak,

For the following scenario for example:

PSTN -- VoIP Router -- internet -- VoIP Router -- PSTN

the source address is the IP address of the gateway (interface to the internet), so is the destination address.

Marc

baytan · ‎03-10-2005

Two NACL one for voice traffic itself and one for voice signalling traffic including common used ports according to h323, sip, mgcp, etc.:

WG-R1(config)# ip access-list extended Voice

WG-R1(config-ext-nacl)# permit udp any any range 16384 32767

WG-R1(config)# ip access-list extended Voice-Control

WG-R1(config-ext-nacl)# permit tcp any any eq 1720

WG-R1(config-ext-nacl)# permit tcp any any eq 11000 11999

WG-R1(config-ext-nacl)# permit udp any any eq 2427

WG-R1(config-ext-nacl)# permit tcp any any eq 2428

WG-R1(config-ext-nacl)# permit tcp any any range 2000 2002

WG-R1(config-ext-nacl)# permit udp any any eq 1719

WG-R1(config-ext-nacl)# permit udp any any eq 5060

Just copy, paste to router and apply to interface...

ychuan · ‎06-18-2005

hi baytan,

what's NACL?

how can i just accept incoming calls from partners networks? using ACL for voip networks?

mstuckey · ‎06-22-2005

If you need to block some calls and allow others you will need to be more specific in the access list by allowing only the networks you want to come through instead of using any any.

srikrishnak · ‎06-19-2005

good info here...thx

srikrishna komatineni

niau.niau · ‎06-20-2005

Hi I guess that this range is for h323

WG-R1(config-ext-nacl)# permit tcp any any eq 1720

WG-R1(config-ext-nacl)# permit tcp any any eq 11000 11999

this one for MGCP

WG-R1(config-ext-nacl)# permit udp any any eq 2427

WG-R1(config-ext-nacl)# permit tcp any any eq 2428

and this one for SIP

WG-R1(config-ext-nacl)# permit tcp any any range 2000 2002

WG-R1(config-ext-nacl)# permit udp any any eq 1719

WG-R1(config-ext-nacl)# permit udp any any eq 5060

Am I right??

ihuon · ‎06-21-2005

Don't forget to add access-list 100 permit ip any any because of implicit deny all at the end :-)