JesusFreak42
asked on
Can an access list on a Switch interfere with a device with a Public IP?
Hello,
We are having issues with our Polycom 8000HDX not receiving some phone calls. We are trying to determine why some work, and some don't. It has no issue calling out.
One thing is that it is plugged into a layer 3 switch with an Access List. Could this potentially get in the way?
access-list 100 permit ip host 10.41.1.11 any
access-list 100 permit ip 10.40.100.0 0.0.0.255 any
access-list 100 permit ip 10.41.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 100 deny ip any any
We are having issues with our Polycom 8000HDX not receiving some phone calls. We are trying to determine why some work, and some don't. It has no issue calling out.
One thing is that it is plugged into a layer 3 switch with an Access List. Could this potentially get in the way?
access-list 100 permit ip host 10.41.1.11 any
access-list 100 permit ip 10.40.100.0 0.0.0.255 any
access-list 100 permit ip 10.41.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 100 deny ip any any
Mark Walden
whats the IP addresses of the ones working & IPs of the ones not? whats the ip of the HDX? What interface is the ACL applied to?
ASKER
1) The IP addresses of the ones that work are the ones that are actually inside the network. External addresses do not work. We tested this by trying an outside call, having it fail, and then connecting to the VPN, and then the call succeeded.
2) 10.40.1.5
3) How do I tell if the Access list is applied to an interface? I have the full run-config and just need to know what to look for.
2) 10.40.1.5
3) How do I tell if the Access list is applied to an interface? I have the full run-config and just need to know what to look for.
ASKER
There is a Sonic Wall which performs NAT as well, all ports are open on that firewall for that NAT rule. Sonic Wall Support says everything is configured correctly.
that access list on the switch might be getting in the way. watch the log on the switch and try to make a call from the outside. what ip does the device on the outside get when it connects to the VPN? does the Sonic Wall serve as the VPN or do you have a separate device?
IP access list have an implicit deny no need to put it in.
You can make call and you can receive some calls and the access list is applied on the out interface, the ACL is probably not going to be the problem they don't half stop things, do you have a web filter?
You can make call and you can receive some calls and the access list is applied on the out interface, the ACL is probably not going to be the problem they don't half stop things, do you have a web filter?
ASKER
Can I ask a quick question, as I am coming in after this is all configured. Is this ACL even necessary?
whats the access list preventing and to where?
do all other clients go to a proxy of some sort?
do all other clients go to a proxy of some sort?
yea, i have the same question as Stolsie. the organization should have a document tracking thing like this, if not i suggest starting one. Where does this L3 switch sit in relation to you firewall, VPN, internal network, etc...
ASKER
Working on trying to figure all this out. Some company came in last year and seems to have done some strange things, and/or just not have done anything to completion. Found two DHCP servers and a rule on a sonic wall allowing EVERYTHING from WAN to get to the LAN..... so, ill get back to you when I have more info. It doesn't help that I'm alos working remotely trying to figure out just what wire goes where....
heard that. just let us know.
A rule allowing all from the WAN to your LAN, that’s a new technique lol
ASKER
Ok... Here's a rough sketch from someone onsite. Notice the nice Asus switch we just found in an enterprise installation with a 6500 chassis right next to it.
sketch.png
sketch.png
ASKER
Trying to get to the heart of this route-map too:
route-map {NAME} permit 10
match ip address 100
set ip default next-hop 10.40.1.2
route-map {NAME} permit 10
match ip address 100
set ip default next-hop 10.40.1.2
wow. you say it work when connecting thru the VPN. I assume the ASA is providing the VPN connection?
ASKER
Yes. That's the only reason the ASA is there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
any news?
ASKER
Ok. Watching the traffic resulted in us discovering that SIP traffic didn't exist, because the Polycom installer forgot to program the HDX to register to their SIP server. :-P. Thanks all!