Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Please help wit ACL to block outbound port 5060

Hi,

I am having trouble implimenting an ACL to block TCP and UDP traffic on outbound ports 5060-5070.  The effect is that all outbound traffic is blocked, but I don't see why this is happening.  I appeciate your help in advance!

This is on a Cisco router 1921/K9 V05.

There is a current ACL in place that blocks traffic between the VLANs except it allows traffic to VLAN9.  It is a Standard type rule and looks like this:

access-list 12 remark This rule allows machines to access VLAN9, but blocks all others

access-list 12 remark CCP_ACL Category=17

access-list 12 permit 192.168.9.0 0.0.0.255

access-list 12 deny   192.168.0.0 0.0.255.255

access-list 12 permit any

The new rule has to have this same functionality as above, but I believe it has to be written in the Extended format in order to also include port-level traffic control. I wrote this in the Extended format:

ip access-list extended TenantAccess1
remark CCP_ACL Category=16
permit ip any 192.168.9.0 0.0.0.255
deny   ip any 192.168.0.0 0.0.255.255
remark Block SIP VOIP out
deny   udp any any range 5060 5070
deny   tcp any any range 5060 5070
permit ip any any

When I apply it to the interface it blocks all outbound traffic, but I don't see why.  Here's an interface config:

interface GigabitEthernet0/0.18
encapsulation dot1Q 18
ip address 192.168.18.1 255.255.255.0
ip access-group TenantAccess1 out
ip nat inside
ip virtual-reassembly in

The old interface configuration was:

interface GigabitEthernet0/0.18
encapsulation dot1Q 18
ip address 192.168.18.1 255.255.255.0
ip access-group 12 out
ip nat inside
ip virtual-reassembly in

Your help is greately appreciated

Everyone's tags (3)
1 REPLY

Re: Please help wit ACL to block outbound port 5060

Hi Dylan,

the standard ACL had permit- and deny statements for the source-addresses, in your extended ACL those source-addresses are configured as the destinations:

permit ip any 192.168.9.0 0.0.0.255

deny   ip any 192.168.0.0 0.0.255.255

source: any

destination:  192.168.9.0/24; 192.168.0.0/16

I guess you have to change it the other way around:

permit ip 192.168.9.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.255.255 any

Link: Configuring IP ACLs - Extended ACLs

HTH

Rolf

610
Views
0
Helpful
1
Replies