Solved

Where to put an Cisco access-list

Posted on 2015-02-18
3
343 Views
Last Modified: 2015-02-19
Hi,

I have the following access-list:

access-list 105 permit udp host 178.217.82.83 any eq 5060 log
access-list 105 permit tcp host 178.217.82.83 any eq 5060 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

int dialer 1
ip access-group 105 in

I want that only the ip address 178.217.82.83 has access to the router and the ports from 5060 to 5080 does not have access. Now when I apply this access-list the telephones aren't reachable anymore. When I try this access-list it works without any problems:

access-list 105 permit udp host 178.217.82.83 any range 5060 5080 log
access-list 105 permit tcp host 178.217.82.83 any range 5060 5080 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

When I do a show ip nat trans I get this:

Pro Inside global      Inside local       Outside local      Outside global
udp 90.145.140.251:5063 10.10.12.91:5063  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5064 10.10.12.91:5064  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5062 10.10.12.92:5062  178.217.82.83:5060 178.217.82.83:5060

As you can see the the outside global port is 5060 so why is the first access-list not working?
0
Comment
Question by:emieldmz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40617082
Can you post "show logg"?

Your first ACL allows only UDP/TCP port 5060, the second allows range of ports 5060-5080.
0
 
LVL 30

Accepted Solution

by:
Predrag earned 500 total points
ID: 40617300
Traffic destination is
udp 90.145.140.251:5063
udp 90.145.140.251:5064
udp 90.145.140.251:5062

And traffic source is
178.217.82.83:5060

traffic is filtered inbound
int dialer 1
ip access-group 105 in

ACL is in first case
access-list 105 permit udp host 178.217.82.83 any eq 5060 log

ACL permits traffic from host 178.217.82.83 to any address if  destination port is 5060
but traffic have source ip 178.217.82.83 port 5060... destination ports for traffic are 5062, 5063, 5064...

That's way in the second example ACL works properly - destination ports are in range 5060 - 5080. .
ACL could be written as
access-list 105 permit udp host 178.217.82.83 eq 5060 any log
since traffic always originate from host 178.217.82.83 port 5060

Other way to do this is
access-list 105 permit udp any host 178.217.82.83 eq 5060 log
and assign ACL in out direction
int dialer 1
ip access-group 105 out
In this case - traffic is allowed if comes from any host at any port as long as destination is 178.217.82.83 on port 5060

Of course direction and traffic filtering depends on your design.
0
 

Author Comment

by:emieldmz
ID: 40618594
Thanks Predrag! I now see that the eq 5060 command was on the destination address instead of the source address.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month5 days, 9 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question