ACLs, Firewalls, and VoIP

I am in the final phase in my prep for the CCNA (640-802) exam and I have been playing with VoIP during an overlap period for a few months (at the behest of a client who is getting ready to migrate to VoIP) and unfortunately none of the study material I have, CCNA, IIUC, or CVOICE, addresses this (at least in any meaningful fashion.)

My lab senerio is as follows:

2621XM as my backbone to the Internet and has some basic ACLs for In/Out and NAT control and the LAN interface, f0/1 uses VLAN trunking (RoaS) to seperate Data and Voice traffic. Connected on my Data LAN are 2 PCs, each having a Magic Jack for POTS connectivity (a cheap way to test VoIP functionallity) and on the Voice VLAN I have Cisco IP Phones (7910s and 7960s) that we use for inter-office (this is a home office setup) as well as POTS calls.

I recently decided it was time to tighten security on my router and impliment the on-router Firewall/IPS/IDS functionallity using SDM. Even though, when going through the wizzard, I selected the option offered so the existing ACLs remained un-modified when the wizzard applied the new commands I lost connectivity through the MJs (and boy was my wife pissed! She was on a call and got disconnected!) The PCs on which the MJs are attached are on my Data LAN, which did not lose Internet connectivity and inter-office calls were un-affected.

What would the ACL look like to allow voice traffic to pass through the router bi-directionally and allow me to lock down for other un-desireable traffic?

int f0/0
 ip address dhcp
 ip access-group 2 in
 ip nat out
!
int f0/1.101
 desc $Data LAN$
 enc dot1q 101
 ip address 10.10.11.1 255.255.255.224
 ip nat in
 
int f0.1.107
 desc $Voice LAN$
 enc dot1q 107
 ip address 10.10.11.193 255.255.255.224
 ip nat in
 
! Current ACLs allow NAT overloading f0/0 and denies private IP spoofing entering f0/0 (WAN interface)
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.10.11.0 0.0.0.31
access-list 1 permit 10.10.11.192 0.0.0.31
access-list 1 permit 10.10.11.224 0.0.0.31
access-list 1 permit 192.168.1.0 0.0.0.3
!
access-list 2 remark Wan Acccess List To block Private Address Spoofing
access-list 2 deny   10.0.0.0 0.255.255.255
access-list 2 deny   172.16.0.0 0.15.255.255
access-list 2 deny   192.168.0.0 0.0.255.255
access-list 2 permit any any

I had used the same senario when I had ComCast's VoIP adapter and had locked down the router using SDM in the past (the POTS connection was on the outside of the router's WAN) without issue and I know and understand the reasons why this did not effect POTS communications.

So, again, what is the solution?

Thanks in advance!

Find more posts tagged with

Comments

hermeszdata

phoeneous wrote: »

Did you get this resolved? If not, what exactly is wrong?

I set that issue aside for the time being to get CCNA and CVOICE out of the way before the CVOICE lock tomorrow.

Basically, it shut down ALL voice traffic coming in from the WAN (Internet). I'll look at playing with it more after I sit 642-436 tomorrow.

I have a busy few days ahead of me. CVOICE tomorrow. A Cisco VoIP installation on Tuesday and Wednesday is my wife's Citizenship interview!