Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need command help with Access-list - Urgent

I have been struggling to add commands to open ports to my access list.  They are needed for the alarm system and our voip.

Below is my current one,  but not sure where to put in the requirements below in red. Realy need help fast as these services are crucial.  If you need any other part of the config let me know

 

Thx in advance

 

--------------------------------------------------------------------------

access-list 100 deny   ip host 125.211.211.75 any
access-list 100 deny   ip host 125.45.109.166 any
access-list 100 deny   ip host 221.194.46.176 any
access-list 100 permit esp any any
access-list 100 permit tcp any any eq 554
access-list 100 permit udp any eq ntp any log-input
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 remark OUT-BOUND-TO-INTERNET
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq 22
access-list 100 permit gre any any
access-list 100 permit udp any eq isakmp any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any eq domain any
access-list 100 deny   ip any any log

------------------------------------------------------------------

Alarm

They should also be excluded from SPI and/or PROXY.

Redir 1 ................ 204.141.57.100 (auiredir1.alarmnet.com) Ports 80 and 443

Redir 2 ................ 204.141.57.101 (auiredir2.alarmnet.com) Ports 80 and 443

Redir 3 ................ 204.141.57.102 (auiredir3.alarmnet.com)  Ports 80 and 443

Redir A................ 12.149.218.73 (auiredirA.alarmnet.com) Ports 80 and 443

NetTalk

The following ports are typically used be the netTALK product.

Port 69: Used for updates (not necessary for phone calls).
Port 5060: Standard SIP port for provisioning to the netTALK network.
Port 10,000 - 20,000: Used for Voice transmission. If your router does not allow you to put in a range of ports then select port 12000.
Protocol: UDP. TCP is NOT used.
IP address:192.168.15.2 (device ip)

-Port Triggering-
Implement the ports as stated above along with the protocols. Typically you are asked only to provide port number or range only along with the protocol.
It may ask you for a public port and a private port per trigger.
An example would be...
Model: Private start port - Private end port, Protocol ++ Public start port - Public end port, Protocol
Example: 5060 - 5060, UDP ++ 5060 - 5060, UDP
Example: 10000 - 20000, UDP ++ 10000 - 20000, UDP


-Port Forwarding-
Implement the ports as stated above along with the protocols. Typically you are asked only to provide port number or range, along with the protocol and the IP address of the netTALK device.
It may ask you for a public port and a private port per forward.
An example would be...
Model: Private start port - Private end port, Protocol, Private IP ++ Public start port - Public end port, Protocol
Example: 5060 - 5060, UDP, 192.168.1.100 ++ 5060 - 5060, UDP
Example: 10000 - 20000, UDP, 192.168.1.100 ++ 10000 - 20000, UDP

 

4 REPLIES
Super Bronze

Hi, If I am not completely

Hi,

 

If I am not completely mistaken and remember wrong, it seems to me that you might have to configure a new ACL with which to replace the current ACL. Atleast it seems to me that the above ACL does not contain anykind of line/sequence numbering even though its an extended ACL which would let you enter new rules in specific points. If I dont remember wrong this had something to do with the software level running on the router but I could be wrong. I am pretty rusty when it comes to routers.

 

If you were to remove the current ACL and create it again with the same name you should consider removing the ACL from the interface before removing the ACL as you could cause connecitivity issues when the interface is using an ACL that does not exist. To my understanding in such a situation all traffic is blocked from behind that interface.

 

Since you have a separate "deny ip any any" rule in your ACL you should the rules atleast before that rule for them to be matched. I guess you could always place them below the first "deny" statements you have at the top of the ACL.

 

- Jouni

 

VIP Green

Jouni is correct that you

Jouni is correct that you need to re-create the ACLs.  sequencing is not suppoted with numbered ACLs so you would need to create a named ACL and then you can use the sequence numbers.

ip access-list extended TEST
  5 permit tcp any any eq 80
  10 permit udp any any eq 69

The 5 and 10 in the ACL are the sequence numbers.  If you add a new entry with the same sequence number as an existing entry (sequence number 5 for example) then you will receive an error message stating something like duplicate sequence number.

But if you want to keep the 101 ACL then you would first need to remove the deny any any that you have added at the end (i assume you want to log the denies?) then add your new entries, then re-add the deny any any.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Thx for the help!I am not

Thx for the help!

I am not sure of the correct ios commands to exclude the following from SPI and and allow those specific IP 's bout inbound and outbound??  I am not great at IOS,  and have been using CCP,  which sucks too :)

 

Redir 1 ................ 204.141.57.100 (auiredir1.alarmnet.com) Ports 80 and 443

Redir 2 ................ 204.141.57.101 (auiredir2.alarmnet.com) Ports 80 and 443

Redir 3 ................ 204.141.57.102 (auiredir3.alarmnet.com)  Ports 80 and 443

Redir A................ 12.149.218.73 (auiredirA.alarmnet.com) Ports 80 and 443

VIP Green

If I remember correctly you

If I remember correctly you just need to add deny statements in the inspection ACL.  Basically permit means inspect this traffic, and deny means do not inspect this traffic (this is in regards to inspection only).

ip access-list INSP-ACL
  deny tcp 204.141.57.100 any eq 80 443
  deny tcp 204.141.57.101 any eq 80 443
  deny tcp 204.141.57.102 any eq 80 443
  deny tcp 12.149.218.73 any eq 80 443

This should exempt the traffic from being inspected.  But always when making changes make sure you have a backup of your configuration, and that you have local access to the device incase you lock yourself out.  Make sure you have a rollback plan.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
47
Views
0
Helpful
4
Replies