01-01-2005 08:42 AM
Dear all,
If I want to block VoIP traffic by ACL on router, then is the following correct and enough?
access-list 100 deny udp any any range 16384 32767
access-list 100 deny tcp any any eq 1720
Thanks
mak
01-02-2005 04:56 AM
Hi mak
As i know we can change h.323 1720 port to another port also
Mithilesh
01-03-2005 10:15 AM
Hey all,
not only you can change the port of h.323 signaling, but also the voice call ports...
i'll think of something and try to get back to u :)
Good luck!!!
01-03-2005 09:32 PM
BTW what is the source address of voip packet, is it the router loopback or interface address? can I change it?
mak
01-04-2005 12:21 AM
Hi Mak,
For the following scenario for example:
PSTN -- VoIP Router -- internet -- VoIP Router -- PSTN
the source address is the IP address of the gateway (interface to the internet), so is the destination address.
Marc
03-10-2005 06:36 PM
Two NACL one for voice traffic itself and one for voice signalling traffic including common used ports according to h323, sip, mgcp, etc.:
WG-R1(config)# ip access-list extended Voice
WG-R1(config-ext-nacl)# permit udp any any range 16384 32767
WG-R1(config)# ip access-list extended Voice-Control
WG-R1(config-ext-nacl)# permit tcp any any eq 1720
WG-R1(config-ext-nacl)# permit tcp any any eq 11000 11999
WG-R1(config-ext-nacl)# permit udp any any eq 2427
WG-R1(config-ext-nacl)# permit tcp any any eq 2428
WG-R1(config-ext-nacl)# permit tcp any any range 2000 2002
WG-R1(config-ext-nacl)# permit udp any any eq 1719
WG-R1(config-ext-nacl)# permit udp any any eq 5060
Just copy, paste to router and apply to interface...
06-18-2005 01:30 PM
hi baytan,
what's NACL?
how can i just accept incoming calls from partners networks? using ACL for voip networks?
06-22-2005 01:38 PM
If you need to block some calls and allow others you will need to be more specific in the access list by allowing only the networks you want to come through instead of using any any.
06-19-2005 02:50 AM
good info here...thx
srikrishna komatineni
06-20-2005 12:30 AM
Hi I guess that this range is for h323
WG-R1(config-ext-nacl)# permit tcp any any eq 1720
WG-R1(config-ext-nacl)# permit tcp any any eq 11000 11999
this one for MGCP
WG-R1(config-ext-nacl)# permit udp any any eq 2427
WG-R1(config-ext-nacl)# permit tcp any any eq 2428
and this one for SIP
WG-R1(config-ext-nacl)# permit tcp any any range 2000 2002
WG-R1(config-ext-nacl)# permit udp any any eq 1719
WG-R1(config-ext-nacl)# permit udp any any eq 5060
Am I right??
06-21-2005 06:55 AM
Don't forget to add access-list 100 permit ip any any because of implicit deny all at the end :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: