Can an access list on a Switch interfere with a device with a Public IP?

Hello,
    We are having issues with our Polycom 8000HDX not receiving some phone calls. We are trying to determine why some work, and some don't. It has no issue calling out.

One thing is that it is plugged into a layer 3 switch with an Access List. Could this potentially get in the way?

access-list 100 permit ip host 10.41.1.11 any
access-list 100 permit ip 10.40.100.0 0.0.0.255 any
access-list 100 permit ip 10.41.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 100 deny   ip any any
JesusFreak42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark WaldenInformation Security EngineerCommented:
whats the IP addresses of the ones working & IPs of the ones not? whats the ip of the HDX? What interface is the ACL applied to?
0
JesusFreak42Author Commented:
1) The IP addresses of the ones that work are the ones that are actually inside the network. External addresses do not work. We tested this by trying an outside call, having it fail, and then connecting to the VPN, and then the call succeeded.
2) 10.40.1.5
3) How do I tell if the Access list is applied to an interface? I have the full run-config and just need to know what to look for.
0
JesusFreak42Author Commented:
There is a Sonic Wall which performs NAT as well, all ports are open on that firewall for that NAT rule. Sonic Wall Support says everything is configured correctly.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mark WaldenInformation Security EngineerCommented:
that access list on the switch might be getting in the way.  watch the log on the switch and try to make a call from the outside. what ip does the device on the outside get when it connects to the VPN? does the Sonic Wall serve as the VPN or do you have a separate device?
0
StolsieCommented:
IP access list have an implicit deny no need to put it in.
You can make call and you can receive some calls and the access list is applied on the out interface, the ACL is probably not going to be the problem they don't half stop things, do you have a web filter?
0
JesusFreak42Author Commented:
Can I ask a quick question, as I am coming in after this is all configured. Is this ACL even necessary?
0
StolsieCommented:
whats the access list preventing and to where?
do all other clients go to a proxy of some sort?
0
Mark WaldenInformation Security EngineerCommented:
yea, i have the same question as Stolsie.  the organization should have a document tracking thing like this, if not i suggest starting one. Where does this L3 switch sit in relation to you firewall, VPN, internal network, etc...
0
JesusFreak42Author Commented:
Working on trying to figure all this out. Some company came in last year and seems to have done some strange things, and/or just not have done anything to completion. Found two DHCP servers and a rule on a sonic wall allowing EVERYTHING from WAN to get to the LAN..... so, ill get back to you when I have more info. It doesn't help that I'm alos working remotely trying to figure out just what wire goes where....
0
Mark WaldenInformation Security EngineerCommented:
heard that. just let us know.
0
StolsieCommented:
A rule allowing all from the WAN to your LAN, that’s a new technique lol
0
JesusFreak42Author Commented:
Ok... Here's a rough sketch from someone onsite. Notice the nice Asus switch we just found in an enterprise installation with a 6500 chassis right next to it.
sketch.png
0
JesusFreak42Author Commented:
Trying to get to the heart of this route-map too:

route-map {NAME} permit 10
 match ip address 100
 set ip default next-hop 10.40.1.2
0
Mark WaldenInformation Security EngineerCommented:
wow. you say it work when connecting thru the VPN. I assume the ASA is providing the VPN connection?
0
JesusFreak42Author Commented:
Yes. That's the only reason the ASA is there.
0
Mark WaldenInformation Security EngineerCommented:
first thing i would have to do is watch the log on the 6500 when you are trying to connect. Does the Sonic Wall show any traffic is passing thru it. if so what does it say?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark WaldenInformation Security EngineerCommented:
any news?
0
JesusFreak42Author Commented:
Ok. Watching the traffic resulted in us discovering that SIP traffic didn't exist, because the Polycom installer forgot to program the HDX to register to their SIP server. :-P. Thanks all!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.