ACLs, Firewalls, and VoIP
hermeszdata
Member Posts: 225
I am in the final phase in my prep for the CCNA (640-802) exam and I have been playing with VoIP during an overlap period for a few months (at the behest of a client who is getting ready to migrate to VoIP) and unfortunately none of the study material I have, CCNA, IIUC, or CVOICE, addresses this (at least in any meaningful fashion.)
My lab senerio is as follows:
2621XM as my backbone to the Internet and has some basic ACLs for In/Out and NAT control and the LAN interface, f0/1 uses VLAN trunking (RoaS) to seperate Data and Voice traffic. Connected on my Data LAN are 2 PCs, each having a Magic Jack for POTS connectivity (a cheap way to test VoIP functionallity) and on the Voice VLAN I have Cisco IP Phones (7910s and 7960s) that we use for inter-office (this is a home office setup) as well as POTS calls.
I recently decided it was time to tighten security on my router and impliment the on-router Firewall/IPS/IDS functionallity using SDM. Even though, when going through the wizzard, I selected the option offered so the existing ACLs remained un-modified when the wizzard applied the new commands I lost connectivity through the MJs (and boy was my wife pissed! She was on a call and got disconnected!) The PCs on which the MJs are attached are on my Data LAN, which did not lose Internet connectivity and inter-office calls were un-affected.
What would the ACL look like to allow voice traffic to pass through the router bi-directionally and allow me to lock down for other un-desireable traffic?
I had used the same senario when I had ComCast's VoIP adapter and had locked down the router using SDM in the past (the POTS connection was on the outside of the router's WAN) without issue and I know and understand the reasons why this did not effect POTS communications.
So, again, what is the solution?
Thanks in advance!
My lab senerio is as follows:
2621XM as my backbone to the Internet and has some basic ACLs for In/Out and NAT control and the LAN interface, f0/1 uses VLAN trunking (RoaS) to seperate Data and Voice traffic. Connected on my Data LAN are 2 PCs, each having a Magic Jack for POTS connectivity (a cheap way to test VoIP functionallity) and on the Voice VLAN I have Cisco IP Phones (7910s and 7960s) that we use for inter-office (this is a home office setup) as well as POTS calls.
I recently decided it was time to tighten security on my router and impliment the on-router Firewall/IPS/IDS functionallity using SDM. Even though, when going through the wizzard, I selected the option offered so the existing ACLs remained un-modified when the wizzard applied the new commands I lost connectivity through the MJs (and boy was my wife pissed! She was on a call and got disconnected!) The PCs on which the MJs are attached are on my Data LAN, which did not lose Internet connectivity and inter-office calls were un-affected.
What would the ACL look like to allow voice traffic to pass through the router bi-directionally and allow me to lock down for other un-desireable traffic?
int f0/0 ip address dhcp ip access-group 2 in ip nat out ! int f0/1.101 desc $Data LAN$ enc dot1q 101 ip address 10.10.11.1 255.255.255.224 ip nat in int f0.1.107 desc $Voice LAN$ enc dot1q 107 ip address 10.10.11.193 255.255.255.224 ip nat in ! Current ACLs allow NAT overloading f0/0 and denies private IP spoofing entering f0/0 (WAN interface) ! ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 permit 10.10.11.0 0.0.0.31 access-list 1 permit 10.10.11.192 0.0.0.31 access-list 1 permit 10.10.11.224 0.0.0.31 access-list 1 permit 192.168.1.0 0.0.0.3 ! access-list 2 remark Wan Acccess List To block Private Address Spoofing access-list 2 deny 10.0.0.0 0.255.255.255 access-list 2 deny 172.16.0.0 0.15.255.255 access-list 2 deny 192.168.0.0 0.0.255.255 access-list 2 permit any any
I had used the same senario when I had ComCast's VoIP adapter and had locked down the router using SDM in the past (the POTS connection was on the outside of the router's WAN) without issue and I know and understand the reasons why this did not effect POTS communications.
So, again, what is the solution?
Thanks in advance!
John
Current Progress:
Studying:
Studying:
CCNA Security - 60%, CCNA Wireless - 80%, ROUTE - 10% (Way behind due to major Wireless Project)
Exams Passed:
CCNA - 640-802 - 17 Jan 2011 -- CVOICE v6 - 642-436 - 28 Feb 2011
2011 Goals
CCNP/CCNP:Voice
CCNA - 640-802 - 17 Jan 2011 -- CVOICE v6 - 642-436 - 28 Feb 2011
2011 Goals
CCNP/CCNP:Voice
Comments
-
hermeszdata
Member Posts: 225
Did you get this resolved? If not, what exactly is wrong?
I set that issue aside for the time being to get CCNA and CVOICE out of the way before the CVOICE lock tomorrow.
Basically, it shut down ALL voice traffic coming in from the WAN (Internet). I'll look at playing with it more after I sit 642-436 tomorrow.
I have a busy few days ahead of me. CVOICE tomorrow. A Cisco VoIP installation on Tuesday and Wednesday is my wife's Citizenship interview!JohnCurrent Progress:
Studying:CCNA Security - 60%, CCNA Wireless - 80%, ROUTE - 10% (Way behind due to major Wireless Project)Exams Passed:
CCNA - 640-802 - 17 Jan 2011 -- CVOICE v6 - 642-436 - 28 Feb 2011
2011 Goals
CCNP/CCNP:Voice
