• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 362
  • Last Modified:

Where to put an Cisco access-list

Hi,

I have the following access-list:

access-list 105 permit udp host 178.217.82.83 any eq 5060 log
access-list 105 permit tcp host 178.217.82.83 any eq 5060 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

int dialer 1
ip access-group 105 in

I want that only the ip address 178.217.82.83 has access to the router and the ports from 5060 to 5080 does not have access. Now when I apply this access-list the telephones aren't reachable anymore. When I try this access-list it works without any problems:

access-list 105 permit udp host 178.217.82.83 any range 5060 5080 log
access-list 105 permit tcp host 178.217.82.83 any range 5060 5080 log
access-list 105 deny   udp any any range 5060 5080 log
access-list 105 deny   tcp any any range 5060 5080 log
access-list 105 permit ip any any

When I do a show ip nat trans I get this:

Pro Inside global      Inside local       Outside local      Outside global
udp 90.145.140.251:5063 10.10.12.91:5063  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5064 10.10.12.91:5064  178.217.82.83:5060 178.217.82.83:5060
udp 90.145.140.251:5062 10.10.12.92:5062  178.217.82.83:5060 178.217.82.83:5060

As you can see the the outside global port is 5060 so why is the first access-list not working?
0
emieldmz
Asked:
emieldmz
1 Solution
 
MattCommented:
Can you post "show logg"?

Your first ACL allows only UDP/TCP port 5060, the second allows range of ports 5060-5080.
0
 
JustInCaseCommented:
Traffic destination is
udp 90.145.140.251:5063
udp 90.145.140.251:5064
udp 90.145.140.251:5062

And traffic source is
178.217.82.83:5060

traffic is filtered inbound
int dialer 1
ip access-group 105 in

ACL is in first case
access-list 105 permit udp host 178.217.82.83 any eq 5060 log

ACL permits traffic from host 178.217.82.83 to any address if  destination port is 5060
but traffic have source ip 178.217.82.83 port 5060... destination ports for traffic are 5062, 5063, 5064...

That's way in the second example ACL works properly - destination ports are in range 5060 - 5080. .
ACL could be written as
access-list 105 permit udp host 178.217.82.83 eq 5060 any log
since traffic always originate from host 178.217.82.83 port 5060

Other way to do this is
access-list 105 permit udp any host 178.217.82.83 eq 5060 log
and assign ACL in out direction
int dialer 1
ip access-group 105 out
In this case - traffic is allowed if comes from any host at any port as long as destination is 178.217.82.83 on port 5060

Of course direction and traffic filtering depends on your design.
0
 
emieldmzAuthor Commented:
Thanks Predrag! I now see that the eq 5060 command was on the destination address instead of the source address.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now