Solved

Where to put an Cisco access-list

Posted on 2015-02-18
3
338 Views
Last Modified: 2015-02-19
Hi,

I have the following access-list:

access-list 105 permit udp host 178.217.82.83 any eq 5060 log
access-list 105 permit tcp host 178.217.82.83 any eq 5060 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

int dialer 1
ip access-group 105 in

I want that only the ip address 178.217.82.83 has access to the router and the ports from 5060 to 5080 does not have access. Now when I apply this access-list the telephones aren't reachable anymore. When I try this access-list it works without any problems:

access-list 105 permit udp host 178.217.82.83 any range 5060 5080 log
access-list 105 permit tcp host 178.217.82.83 any range 5060 5080 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

When I do a show ip nat trans I get this:

Pro Inside global      Inside local       Outside local      Outside global
udp 90.145.140.251:5063 10.10.12.91:5063  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5064 10.10.12.91:5064  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5062 10.10.12.92:5062  178.217.82.83:5060 178.217.82.83:5060

As you can see the the outside global port is 5060 so why is the first access-list not working?
0
Comment
Question by:emieldmz
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40617082
Can you post "show logg"?

Your first ACL allows only UDP/TCP port 5060, the second allows range of ports 5060-5080.
0
 
LVL 27

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40617300
Traffic destination is
udp 90.145.140.251:5063
udp 90.145.140.251:5064
udp 90.145.140.251:5062

And traffic source is
178.217.82.83:5060

traffic is filtered inbound
int dialer 1
ip access-group 105 in

ACL is in first case
access-list 105 permit udp host 178.217.82.83 any eq 5060 log

ACL permits traffic from host 178.217.82.83 to any address if  destination port is 5060
but traffic have source ip 178.217.82.83 port 5060... destination ports for traffic are 5062, 5063, 5064...

That's way in the second example ACL works properly - destination ports are in range 5060 - 5080. .
ACL could be written as
access-list 105 permit udp host 178.217.82.83 eq 5060 any log
since traffic always originate from host 178.217.82.83 port 5060

Other way to do this is
access-list 105 permit udp any host 178.217.82.83 eq 5060 log
and assign ACL in out direction
int dialer 1
ip access-group 105 out
In this case - traffic is allowed if comes from any host at any port as long as destination is 178.217.82.83 on port 5060

Of course direction and traffic filtering depends on your design.
0
 

Author Comment

by:emieldmz
ID: 40618594
Thanks Predrag! I now see that the eq 5060 command was on the destination address instead of the source address.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Systems talking to each other 5 123
EIGRP Summary 2 43
BGP routing on Windows 2016 7 36
Viber-Only Restriction 6 21
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now