cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2474
Views
0
Helpful
5
Replies

ACL to block certain UDP ports

mahesh18
Level 6
Level 6

ACL  to block certain UDP ports

Hi All,

I want to block some users from accessing VOIP  calls.

Is there an ACL  that blocks certain UDP ports so that inside users can not access those ports?

Ports like 5070,14836 etc?

Thanks

5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

He Mahesh,

Can you explain a little more what you are trying to do when you say "block some users from accessing VOIP  calls."

Do you mean accessing Call manager?

You can try something like this:

access-list 120 deny   udp 192.168.1.0 0.0.0.255 eq 5070 host 172.16.2.1

access-list 120 permit udp any any

HTH

Hi Reza,

Thanks for reply.

When i apply this ACL  on switch port which has wi fi users it blocks all access to the internet.

From user  pc i can not ping the HSRP gateway.

interface where i apply ACL

3550SMIA#sh run int fa0/20
Building configuration...

Current configuration : 241 bytes
!
interface FastEthernet0/20
description CONNECTION TO DLINK ROUTER
switchport access vlan 20
switchport mode access
switchport port-security maximum 5
ip access-group 140 in ****************************************************************
spanning-tree portfast
spanning-tree bpduguard enable
end

ACL  config

access-list 140 deny   udp 192.168.20.0 0.0.0.255 eq 5070 any

access-list 140 permit udp any any access-list 140 deny   udp 192.168.20.0 0.0.0.255 eq 5070 any
access-list 140 permit udp any any

Bascially i want to block users using skype on their pc to make voice calls over the internet.

There is no call manager involved.

Thanks

Mahesh

Hi, the acl 140 block any udp 5070 from 192.168.20.0, permit any udp vs any... but it also blocksany other protocol tcp, as http and so on... due to implicit deny any at the and of acl. So you don't permit http, ftp etc... etc...

Think all you want to enable from more specific to more generic and make an explicit acl to permit all you want, and the deny any at the end blocks all the other.

Hi Mahesh,

Make list of the sources that needs to be access your call manager something like below so that you can define explicit rules and then deny everything.


access-list 140 permit udp 192.168.20.2 0.0.0.255 eq 5070 any
access-list 140 permit tcp 192.168.20.0 0.0.0.255 eq 80 any
access-list 140 permit tcp 192.168.20.0 0.0.0.255 eq 443 any
access-list 140 deny any any

Please rate the helpfull posts.
Regards,
Naidu.

Hi guys.

With your access-lists , you are forgetting some important things such as DNS SMTP POP and stateful connections.

Icmp echo replies could be also good to have.

So what I would confiure is the following acl

ip access-list extended NOVOIP

10 permit udp any any eq 53 (permit DNS query)

15 deny udp any any  ( deny all other udp traffic to any)

20 permit ip any any  (permit all other protocols)

interface f0/20

ip access-group NOVOIP in

HTH

Regards

Carlo

Please rate all helpful posts "The more you help the more you learn"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco