CME and Voip Access list to prevent tool fraud question

Unanswered Question
Sep 2nd, 2009
User Badges:

Hi,

I have CME and internet access on same 2821 IOS 12.4.24T1. So i have configured following ACL in dialer 0 interface.


access-list 102 remark +++ Block IN Internet VOIP Traffic +++

access-list 102 deny tcp any host X.X.X.X eq 5060

access-list 102 deny udp any host X.X.X.X eq 5060

access-list 102 deny tcp any host X.X.X.X eq 5061

access-list 102 deny udp any host X.X.X.X eq 5061

access-list 102 deny tcp any host X.X.X.X eq 1720

access-list 102 deny tcp any host X.X.X.X eq 1719

access-list 102 deny tcp any host X.X.X.X eq 1718

access-list 102 deny tcp any host X.X.X.X eq 2000

access-list 102 deny udp any host X.X.X.X eq 2000

access-list 102 deny udp any any eq snmp

access-list 102 deny udp any any eq snmptrap

access-list 102 permit ip any any


Where X.X.X.X is the public ip address of my internet connection.

When i telnet to this ip address in port 5060 (or 5061,or 2000,or 1718,or 1719) for exemple connection is refused but when i do a telnet for 1720 i receive a black screen so connection is accepted.

Any ideas why this is happenning or what i have to configure more?


Best Regards

MC

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nicholas Matthews Wed, 09/02/2009 - 12:06
User Badges:
  • Red, 2250 points or more

For what it's worth, this is my template which matches pretty close:





access-list 101 remark **** SIP CUSTOMERS ****

access-list 101 permit udp host x.x.x.x any eq 5060

access-list 101 permit tcp host x.x.x.x any eq 5060

access-list 101 remark **** H323 CUSTOMERS ****

access-list 101 permit udp host x.x.x.x any eq 1720

access-list 101 permit udp host x.x.x.x any eq 1719

access-list 101 permit udp host x.x.x.x any eq 1718

access-list 101 permit tcp host x.x.x.x any eq 1720

access-list 101 permit tcp host x.x.x.x any eq 1719

access-list 101 permit tcp host x.x.x.x any eq 1718

access-list 101 remote **** DENY ALL ELSE ****

access-list 101 deny udp any any eq 1720

access-list 101 deny udp any any eq 1719

access-list 101 deny udp any any eq 1718

access-list 101 deny tcp any any eq 1720

access-list 101 deny tcp any any eq 1719

access-list 101 deny tcp any any eq 1718

access-list 101 deny udp any any eq 5060

access-list 101 deny tcp any any eq 5060

access-list 101 remark **** NOW PERMIT ALL ****

access-list 101 permit ip any any






I don't see any reason why you should be able to telnet to 1720. Are you sure it's not just a black screen that isn't connecting?


-nick

etmarcof Thu, 09/03/2009 - 12:50
User Badges:

Hi Nick,


For the other ports i get refused connection when i try to telnet using that ports but for port 1720 like i said appears a black screen, how could i check in router if session is established?


Thanks

Best Regards

MC

Nicholas Matthews Tue, 09/08/2009 - 07:53
User Badges:
  • Red, 2250 points or more

You can try 'show tcp brief' to see if there is a session open. 'show tcp detail' may also be helpful.


-nick

Actions

This Discussion