Solved

Where to put an Cisco access-list

Posted on 2015-02-18
3
342 Views
Last Modified: 2015-02-19
Hi,

I have the following access-list:

access-list 105 permit udp host 178.217.82.83 any eq 5060 log
access-list 105 permit tcp host 178.217.82.83 any eq 5060 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

int dialer 1
ip access-group 105 in

I want that only the ip address 178.217.82.83 has access to the router and the ports from 5060 to 5080 does not have access. Now when I apply this access-list the telephones aren't reachable anymore. When I try this access-list it works without any problems:

access-list 105 permit udp host 178.217.82.83 any range 5060 5080 log
access-list 105 permit tcp host 178.217.82.83 any range 5060 5080 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

When I do a show ip nat trans I get this:

Pro Inside global      Inside local       Outside local      Outside global
udp 90.145.140.251:5063 10.10.12.91:5063  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5064 10.10.12.91:5064  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5062 10.10.12.92:5062  178.217.82.83:5060 178.217.82.83:5060

As you can see the the outside global port is 5060 so why is the first access-list not working?
0
Comment
Question by:emieldmz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40617082
Can you post "show logg"?

Your first ACL allows only UDP/TCP port 5060, the second allows range of ports 5060-5080.
0
 
LVL 29

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40617300
Traffic destination is
udp 90.145.140.251:5063
udp 90.145.140.251:5064
udp 90.145.140.251:5062

And traffic source is
178.217.82.83:5060

traffic is filtered inbound
int dialer 1
ip access-group 105 in

ACL is in first case
access-list 105 permit udp host 178.217.82.83 any eq 5060 log

ACL permits traffic from host 178.217.82.83 to any address if  destination port is 5060
but traffic have source ip 178.217.82.83 port 5060... destination ports for traffic are 5062, 5063, 5064...

That's way in the second example ACL works properly - destination ports are in range 5060 - 5080. .
ACL could be written as
access-list 105 permit udp host 178.217.82.83 eq 5060 any log
since traffic always originate from host 178.217.82.83 port 5060

Other way to do this is
access-list 105 permit udp any host 178.217.82.83 eq 5060 log
and assign ACL in out direction
int dialer 1
ip access-group 105 out
In this case - traffic is allowed if comes from any host at any port as long as destination is 178.217.82.83 on port 5060

Of course direction and traffic filtering depends on your design.
0
 

Author Comment

by:emieldmz
ID: 40618594
Thanks Predrag! I now see that the eq 5060 command was on the destination address instead of the source address.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question