I am trying to limit access to our SIP servers to only 209.85.2.10 however,
I am getting a little confused by the permit ip any any log. Will it not allow everything in? Without it, I loose all the rest of the needed traffic.
Question, how do I limit access to 5060 to only permit ip any any log and retain the rest of the traffic (ie, http, smtp..).
The permit ip any any log seems to contradict the constraint by allowing other servers to connect.
Internal Network
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip access-group 104 out
exit
ip access-list extended 104
permit udp host 209.85.2.10 host 192.168.2.5 eq 5060 log
permit ip any any log
deny ip any any log
deny tcp any any log
deny udp any any log
exit
Update
So I need to change the above to
ip access-list extended 104
permit udp host 209.85.2.10 host 192.168.2.5 eq 5060 log
deny ip any host 192.168.2.5 log
permit ip any any log
exit
Then this will work as expected?
i) Accept 5060 access to 192.168.2.5 only from 209.85.2.10, and deny the rest of the attempts on the 5060 port
ii) Let other traffic in from anywhere to anywhere within the network but 5060?
Update Final Product
For those who will find this post in the future. Here is the config that works for me thanks to the help of the two gentlemen in this thread.
ip access-list extended 104
permit tcp any host 192.168.2.5 eq 53
permit udp any host 192.168.2.5 eq 53
permit tcp any host 192.168.2.10 eq 25
permit tcp any host 192.168.2.10 eq 587
permit tcp any host 192.168.2.10 eq 993
permit tcp any host 192.168.2.10 eq 995
permit tcp any host 192.168.2.15 eq 80
permit tcp any host 192.168.2.15 eq 443
permit udp host 205.205.22.186 host 192.168.2.5 eq 5060
permit udp host 205.205.74.186 host 192.168.2.5 eq 5060
permit udp host 70.83.45.11 host 192.168.2.5 eq 5060
permit udp any host 192.168.2.20 eq 5080
permit udp any host 192.168.2.5 range 8000 65535
permit tcp any eq 25 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.5 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.15 range 1024 65535 established
permit tcp any eq 53 host 192.168.2.20 range 1024 65535 established
permit udp any eq 53 host 192.168.2.5 range 1024 65535
permit udp any eq 53 host 192.168.2.10 range 1024 65535
permit udp any eq 53 host 192.168.2.15 range 1024 65535
permit udp any eq 53 host 192.168.2.20 range 1024 65535
permit tcp any eq 80 host 192.168.2.5 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.10 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.15 range 1024 65535 established
permit tcp any eq 80 host 192.168.2.20 range 1024 65535 established
deny ip any host 192.168.2.5 log
deny ip any host 192.168.2.10 log
deny ip any host 192.168.2.15 log
deny ip any host 192.168.2.20 log
permit ip any any
exit
ip nat inside source static 192.168.2.5 77.77.77.77 route-map voip-rtp extendable
Thanks in Advance,
Nick.
Best Answer
first of all
there is no host called 209.85.2.0 this is sort of network , you must configure it as a network not as a host
permit udp 209.85.2.0 0.0.0.255 host 192.168.2.5 eq 5060 log
second
you don't need
deny ip any any log
deny tcp any any log
deny udp any any log
cause the access list has its own explicate deny so in your case you just need to permit the type of access you want
third
you need to know that access list working by the concept of the first match where for example as you configured your access list that is mean ,When any one in 209.85.2.0 need to access host 192.168.2.5 ,this access list will allow only UDP access on port 5060 by its first line.
Then you have other 3 cases that won't match this line and will go to next ACL lines
1. Any network other than 209.85.2.0 need to access 192.168.2.5
2. Any one in network 209.85.2.0 need to access anything other than 192.168.2.5
3. Any one need to access any other network
your ACL second line means you will permit any one to access anything even 192.168.2.5 on port 5060.which is wrong . if you need to prevent any other network from access this host you just need to insert those 3 lines after your first line
deny ip any host 192.168.2.5 log
and then insert
permit ip any any log which will allow access to other servers from any where