12-07-2011 02:19 PM - edited 03-07-2019 03:47 AM
Hi All,
I want to block some users from accessing VOIP calls.
Is there an ACL that blocks certain UDP ports so that inside users can not access those ports?
Ports like 5070,14836 etc?
Thanks
12-07-2011 03:17 PM
He Mahesh,
Can you explain a little more what you are trying to do when you say "block some users from accessing VOIP calls."
Do you mean accessing Call manager?
You can try something like this:
access-list 120 deny udp 192.168.1.0 0.0.0.255 eq 5070 host 172.16.2.1
access-list 120 permit udp any any
HTH
12-07-2011 10:09 PM
Hi Reza,
Thanks for reply.
When i apply this ACL on switch port which has wi fi users it blocks all access to the internet.
From user pc i can not ping the HSRP gateway.
interface where i apply ACL
3550SMIA#sh run int fa0/20
Building configuration...
Current configuration : 241 bytes
!
interface FastEthernet0/20
description CONNECTION TO DLINK ROUTER
switchport access vlan 20
switchport mode access
switchport port-security maximum 5
ip access-group 140 in ****************************************************************
spanning-tree portfast
spanning-tree bpduguard enable
end
ACL config
access-list 140 deny udp 192.168.20.0 0.0.0.255 eq 5070 any
access-list 140 permit udp any any access-list 140 deny udp 192.168.20.0 0.0.0.255 eq 5070 any
access-list 140 permit udp any any
Bascially i want to block users using skype on their pc to make voice calls over the internet.
There is no call manager involved.
Thanks
Mahesh
12-09-2011 04:21 AM
Hi, the acl 140 block any udp 5070 from 192.168.20.0, permit any udp vs any... but it also blocksany other protocol tcp, as http and so on... due to implicit deny any at the and of acl. So you don't permit http, ftp etc... etc...
Think all you want to enable from more specific to more generic and make an explicit acl to permit all you want, and the deny any at the end blocks all the other.
12-09-2011 05:23 AM
Hi Mahesh,
Make list of the sources that needs to be access your call manager something like below so that you can define explicit rules and then deny everything.
access-list 140 permit udp 192.168.20.2 0.0.0.255 eq 5070 any
access-list 140 permit tcp 192.168.20.0 0.0.0.255 eq 80 any
access-list 140 permit tcp 192.168.20.0 0.0.0.255 eq 443 any
access-list 140 deny any any
Please rate the helpfull posts.
Regards,
Naidu.
12-11-2011 08:29 AM
Hi guys.
With your access-lists , you are forgetting some important things such as DNS SMTP POP and stateful connections.
Icmp echo replies could be also good to have.
So what I would confiure is the following acl
ip access-list extended NOVOIP
10 permit udp any any eq 53 (permit DNS query)
15 deny udp any any ( deny all other udp traffic to any)
20 permit ip any any (permit all other protocols)
interface f0/20
ip access-group NOVOIP in
HTH
Regards
Carlo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: