Can an access list on a Switch interfere with a device with a Public IP?

Hello,
    We are having issues with our Polycom 8000HDX not receiving some phone calls. We are trying to determine why some work, and some don't. It has no issue calling out.

One thing is that it is plugged into a layer 3 switch with an Access List. Could this potentially get in the way?

access-list 100 permit ip host 10.41.1.11 any
access-list 100 permit ip 10.40.100.0 0.0.0.255 any
access-list 100 permit ip 10.41.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 100 deny   ip any any
JesusFreak42Asked:
Who is Participating?
 
Mark WaldenInformation Security EngineerCommented:
first thing i would have to do is watch the log on the 6500 when you are trying to connect. Does the Sonic Wall show any traffic is passing thru it. if so what does it say?
0
 
Mark WaldenInformation Security EngineerCommented:
whats the IP addresses of the ones working & IPs of the ones not? whats the ip of the HDX? What interface is the ACL applied to?
0
 
JesusFreak42Author Commented:
1) The IP addresses of the ones that work are the ones that are actually inside the network. External addresses do not work. We tested this by trying an outside call, having it fail, and then connecting to the VPN, and then the call succeeded.
2) 10.40.1.5
3) How do I tell if the Access list is applied to an interface? I have the full run-config and just need to know what to look for.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
JesusFreak42Author Commented:
There is a Sonic Wall which performs NAT as well, all ports are open on that firewall for that NAT rule. Sonic Wall Support says everything is configured correctly.
0
 
Mark WaldenInformation Security EngineerCommented:
that access list on the switch might be getting in the way.  watch the log on the switch and try to make a call from the outside. what ip does the device on the outside get when it connects to the VPN? does the Sonic Wall serve as the VPN or do you have a separate device?
0
 
StolsieCommented:
IP access list have an implicit deny no need to put it in.
You can make call and you can receive some calls and the access list is applied on the out interface, the ACL is probably not going to be the problem they don't half stop things, do you have a web filter?
0
 
JesusFreak42Author Commented:
Can I ask a quick question, as I am coming in after this is all configured. Is this ACL even necessary?
0
 
StolsieCommented:
whats the access list preventing and to where?
do all other clients go to a proxy of some sort?
0
 
Mark WaldenInformation Security EngineerCommented:
yea, i have the same question as Stolsie.  the organization should have a document tracking thing like this, if not i suggest starting one. Where does this L3 switch sit in relation to you firewall, VPN, internal network, etc...
0
 
JesusFreak42Author Commented:
Working on trying to figure all this out. Some company came in last year and seems to have done some strange things, and/or just not have done anything to completion. Found two DHCP servers and a rule on a sonic wall allowing EVERYTHING from WAN to get to the LAN..... so, ill get back to you when I have more info. It doesn't help that I'm alos working remotely trying to figure out just what wire goes where....
0
 
Mark WaldenInformation Security EngineerCommented:
heard that. just let us know.
0
 
StolsieCommented:
A rule allowing all from the WAN to your LAN, that’s a new technique lol
0
 
JesusFreak42Author Commented:
Ok... Here's a rough sketch from someone onsite. Notice the nice Asus switch we just found in an enterprise installation with a 6500 chassis right next to it.
sketch.png
0
 
JesusFreak42Author Commented:
Trying to get to the heart of this route-map too:

route-map {NAME} permit 10
 match ip address 100
 set ip default next-hop 10.40.1.2
0
 
Mark WaldenInformation Security EngineerCommented:
wow. you say it work when connecting thru the VPN. I assume the ASA is providing the VPN connection?
0
 
JesusFreak42Author Commented:
Yes. That's the only reason the ASA is there.
0
 
Mark WaldenInformation Security EngineerCommented:
any news?
0
 
JesusFreak42Author Commented:
Ok. Watching the traffic resulted in us discovering that SIP traffic didn't exist, because the Polycom installer forgot to program the HDX to register to their SIP server. :-P. Thanks all!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.