Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CME and Voip Access list to prevent tool fraud question

Hi,

I have CME and internet access on same 2821 IOS 12.4.24T1. So i have configured following ACL in dialer 0 interface.

access-list 102 remark +++ Block IN Internet VOIP Traffic +++

access-list 102 deny tcp any host X.X.X.X eq 5060

access-list 102 deny udp any host X.X.X.X eq 5060

access-list 102 deny tcp any host X.X.X.X eq 5061

access-list 102 deny udp any host X.X.X.X eq 5061

access-list 102 deny tcp any host X.X.X.X eq 1720

access-list 102 deny tcp any host X.X.X.X eq 1719

access-list 102 deny tcp any host X.X.X.X eq 1718

access-list 102 deny tcp any host X.X.X.X eq 2000

access-list 102 deny udp any host X.X.X.X eq 2000

access-list 102 deny udp any any eq snmp

access-list 102 deny udp any any eq snmptrap

access-list 102 permit ip any any

Where X.X.X.X is the public ip address of my internet connection.

When i telnet to this ip address in port 5060 (or 5061,or 2000,or 1718,or 1719) for exemple connection is refused but when i do a telnet for 1720 i receive a black screen so connection is accepted.

Any ideas why this is happenning or what i have to configure more?

Best Regards

MC

3 REPLIES

Re: CME and Voip Access list to prevent tool fraud question

For what it's worth, this is my template which matches pretty close:

access-list 101 remark **** SIP CUSTOMERS ****

access-list 101 permit udp host x.x.x.x any eq 5060

access-list 101 permit tcp host x.x.x.x any eq 5060

access-list 101 remark **** H323 CUSTOMERS ****

access-list 101 permit udp host x.x.x.x any eq 1720

access-list 101 permit udp host x.x.x.x any eq 1719

access-list 101 permit udp host x.x.x.x any eq 1718

access-list 101 permit tcp host x.x.x.x any eq 1720

access-list 101 permit tcp host x.x.x.x any eq 1719

access-list 101 permit tcp host x.x.x.x any eq 1718

access-list 101 remote **** DENY ALL ELSE ****

access-list 101 deny udp any any eq 1720

access-list 101 deny udp any any eq 1719

access-list 101 deny udp any any eq 1718

access-list 101 deny tcp any any eq 1720

access-list 101 deny tcp any any eq 1719

access-list 101 deny tcp any any eq 1718

access-list 101 deny udp any any eq 5060

access-list 101 deny tcp any any eq 5060

access-list 101 remark **** NOW PERMIT ALL ****

access-list 101 permit ip any any

I don't see any reason why you should be able to telnet to 1720. Are you sure it's not just a black screen that isn't connecting?

-nick

New Member

Re: CME and Voip Access list to prevent tool fraud question

Hi Nick,

For the other ports i get refused connection when i try to telnet using that ports but for port 1720 like i said appears a black screen, how could i check in router if session is established?

Thanks

Best Regards

MC

Re: CME and Voip Access list to prevent tool fraud question

You can try 'show tcp brief' to see if there is a session open. 'show tcp detail' may also be helpful.

-nick

784
Views
0
Helpful
3
Replies
CreatePlease to create content