In a previous tutorial we have configured SIP trunk and route patterns which allow users to make phone calls between Branch office and Headquarters. Connection between these two sites is not filtered and depends only on correct routing configuration on network devices. For instance traffic from data subnet VLAN 11 that is generated by users in Branch office can reach Headquarters CUCM in management VLAN 200. This will be changed in this tutorial as we are going to configure IP access lists in order to restrict access to Headquarters network. These access-lists will be applied inbound and outbound to the interface FastEthernet0/0 of 2621XM router. The router is located in Headquarters network as it is shown network topology diagram.
Cisco 2621XM Configuration
1. Restrict Access to VTY Lines of Headquarters Cisco 2621XM Router
An access-list restric_vty allows only traffic from the hosts 172.18.100.142/16 and 172.18.100.5/16 to reach router vty lines if a destination port in TCP header is 22.
2621XM(config)#ip access-list extended restric_vty
2621XM(config-ext-nacl)#10 permit tcp host 172.18.100.142 any eq 22 log
2621XM(config-ext-nacl)#20 permit tcp host 172.18.100.5 any eq 22 log
2621XM(config-ext-nacl)#30 deny ip any any log
2621XM(config-ext-nacl)#exit
We have added entry 30 to the access-list even each access-list contains implicit deny statement by default. But now we can check the number of denied packets with the command.
2621XM#show ip access-list restric_vty
A sequence number does not have to be specified in a statement. If we omit a sequence number from the beginning of statement, the sequence numbers will be added to the statement by default. The first statement is assigned a sequence number of 10 and successive statements are increased by 10. If we add a statement without a sequence number, the statement is assigned a sequence number that is 10 greater than the last sequence number.
When a keyword log is added to the end of statement, syslog message SEC-6-IPACCESSLOGP is generated once condition in statement is matched.
Jan 27 19:17:29.138: %SEC-6-IPACCESSLOGP: list restric_vty permitted tcp 172.18.100.5(54344) -> 0.0.0.0(22), 1 packet
Access-list restric_vty allowed connection from the host 172.18.100.5 source TCP port 54344 to vty lines with destination TCP port 22 (SSH application layer protocol).
Apply access-list to vty lines:
2621XM(config)#line vty 0 15
2621XM(config-line)#access-class restric_vty in
2621XM(config-line)#exit
2. Filter Traffic Entering interface FastEthernet0/0 of Headquarters Cisco 2621XM Router
Headquarters Cisco Router 2621XM will be configured to filter traffic that enters its interface FastEthernet0/0 in order to block unwanted access to LAN networks connected to interface Fa0/1 of the router.
The following conditions must be accomplished by access-list configured on Headquarters router:
- allow CUCM-II management from hosts 172.18.100.5/16 and 172.18.100.142/16
- allow router 2621XM management from hosts 172.18.100.5/16 and 172.18.100.142/16
- allow access to internal web server running on Cisco IP phones from hosts 172.18.100.5/16 and 172.18.100.142/16
- allow Linux hosts management in data subnet for hosts 172.18.100.5/16 and 172.18.100.142/16
- allow router to synchronize its time with external NTP server 84.245.64.190
- allow router to receive DNS responses from the Belkin router
- allow transfer of SIP signalization messages between Branch CUCM-I and Headquarters CUCM-II
- allow RTP streams from Branch Cisco IP phones subnet to reach Headquarters IP phones subnet
- allow hosts in Branch data subnet to reach hosts in Headquarters data subnet
- allow ICMP echo and echo-reply messages to enter Headquarters subnets
The extended access-list will be applied inbound on router 2621XM interface Fa0/0 but first we need to create it with the command:
2621XM(config)#ip access-list extended 100
a) CUCM-II management
Allow management of Cisco Unified Communications Manager from hosts with IP addresses 172.18.100.5/16 and 172.18.100.142/16. The hosts can reach CUCM-II IP address 192.168.200.252/24 destination port TCP 22, 80, 443, 8443
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 host 192.168.200.252 eq 22 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 host 192.168.200.252 eq 80 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 host 192.168.200.252 eq 443 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 host 192.168.200.252 eq 8443 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 host 192.168.200.252 eq 22 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 host 192.168.200.252 eq 80 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 host 192.168.200.252 eq 443 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 host 192.168.200.252 eq 8443 log
b) Router 2621XM management
Allow hosts 172.18.100.5/16 and 172.18.100.142/16 to manage the router IP address 172.18.100.200/24 destination port TCP 22.
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 host 172.18.100.200 eq 22 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 host 172.18.100.200 eq 22 log
c) Access to Cisco phones internal web server
Allow hosts 172.18.100.5/16 and 172.18.100.142/16 to reach IP phones internal web server - voice subnet 192.168.110.0/24 destination port TCP 80.
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 192.168.110.0 0.0.0.255 eq 80 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 192.168.110.0 0.0.0.255 eq 80 log
d) Linux hosts management
Allow SSH access to Linux hosts on subnet 192.168.111.0/24 for hosts 172.18.100.5/16 and 172.18.100.142/16.
2621XM(config-ext-nacl)#permit tcp host 172.18.100.142 192.168.111.0 0.0.0.255 eq 22 log
2621XM(config-ext-nacl)#permit tcp host 172.18.100.5 192.168.111.0 0.0.0.255 eq 22 log
e) Router 2621XM time synchronization with external NTP server
Allow UDP traffic from external NTP server with source IP address 84.245.64.190 and source UDP port 123 (NTP) to reach router IP address 172.18.100.200 destination UDP port 123.
2621XM(config-ext-nacl)#permit udp host 84.245.64.190 eq ntp host 172.18.100.200 eq ntp log
f) Receiving DNS responses from the Belkin router
Allow DNS responses from Belkin router IP address 172.18.100.1 with source UDP port 53 to reach any network behind the router.
2621XM(config-ext-nacl)#permit udp host 172.18.100.1 eq 53 any log
g) Allow transfer of SIP signalization messages between Branch CUCM-I and Headquarters CUCM-II
Allow SIP signalization messages sent from Branch CUCM-I IP address 192.168.100.252 with any source TCP port to reach CUCM-II IP address 192.168.200.252 destination TCP port 5060.
2621XM(config-ext-nacl)#permit tcp host 192.168.100.252 host 192.168.200.252 eq 5060 log
Allow SIP signalization messages coming from Branch CUCM-I IP address 192.168.100.252 with source TCP port 5060 to reach CUCM-II IP address 192.168.200.252 with any destination port.
2621XM(config-ext-nacl)#permit tcp host 192.168.100.252 eq 5060 host 192.168.200.252 log
h) Allow RTP streams from Branch Cisco IP phones to reach Headquarters IP phones
Allow UDP traffic from Branch voice subnet 192.168.10.0/24 with source UDP ports in range 16384 - 32767 to reach IP phones in Headquarters voice subnet 192.168.110.0/24 destination UDP ports in range 16384 - 32767.
2621XM(config-ext-nacl)#permit udp 192.168.110.0 0.0.0.255 range 16384 32767 192.168.10.0 0.0.0.255 range 16384 32767 log
i) Allow hosts in Branch data subnet to reach hosts in Headquarters data subnet
2621XM(config-ext-nacl)#permit ip 192.168.11.0 0.0.0.255 192.168.111.0 0.0.0.255 log
j) Allow ICMP echo and echo-reply messages to reach Headquarters subnets
2621XM(config-ext-nacl)#permit icmp any any echo log
2621XM(config-ext-nacl)#permit icmp any any echo-reply log
k) Configure implicit deny statement
2621XM(config-ext-nacl)#deny ip any any log
l) Apply extended access-list 100 inbound to the interface FastEthernet0/0
2621XM(config)#interface fastEthernet 0/0
2621XM(config-if)#ip access-group 100 in
3. Filter Traffic Leaving Headquarters Cisco Router 2621XM interface FastEthernet0/0
Headquarters Cisco Router 2621XM will be configured to filter traffic that is leaving its interface FastEthernet0/0.
The following conditions must be accomplished by access-list configured on Headquarters router:
- allow CUCM-II to reach hosts 172.18.100.5/16 and 172.18.100.142/16
- allow router 2621XM to reach hosts 172.18.100.5/16 and 172.18.100.142/16
- allow Cisco IP phones source port 80 to reach hosts 172.18.100.5/16 and 172.18.100.142/16
- allow Linux hosts management for hosts 172.18.100.5/16 and 172.18.100.142/16
- allow router to synchronize its clock with external NTP server 84.245.64.190
- allow router to send DNS requests to Belkin router
- allow transfer of SIP signalization messages between Headquarters CUCM-II and Branch CUCM-I
- allow RTP streams from Headquarters Cisco IP phones subnet to reach Branch IP phones subnet
- allow hosts in Headquarters data subnet to reach hosts in Branch data subnet
- allow ICMP echo and echo-reply messages to reach hosts in Branch subnets
We are going to create named extended access-list out_fa0/0 and apply it outbound to the interface Fa0/0 of Cisco 2621XM router.
2621XM(config)#ip access-list extended out_fa0/0
a) Allow CUCM-II to reach hosts 172.18.100.5/16 and 172.18.100.142/16
Allow traffic from CUCM-II IP address 192.168.200.252/24 with source ports TCP 22, 80, 443, 8443 to reach hosts 172.18.100.5/16 and 172.18.100.142/16 and any destination TCP port.
2621XM(config-ext-nacl)#permit tcp host 192.168.200.252 eq 22 www 443 8443 host 172.18.100.5 log
2621XM(config-ext-nacl)#permit tcp host 192.168.200.252 eq 22 www 443 8443 host 172.18.100.142 log
b) Router 2621XM management
Allow router 2621XM IP address 172.18.100.200/24 source port TCP 22 to reach hosts 172.18.100.5/16 and 172.18.100.142/16.
No action is needed as the router does not filter traffic that it generates itself.
c) Access from Headquarters voice subnet source port 80 to hosts 172.18.100.5/16 and 172.18.100.142/16
Allow Cisco phones on voice subnet 192.168.110.0/24 source TCP port 80 to reach hosts 172.18.100.5/16 and 172.18.100.142/16.
2621XM(config-ext-nacl)#permit tcp 192.168.110.0 0.0.0.255 eq 80 host 172.18.100.5 log
2621XM(config-ext-nacl)#permit tcp 192.168.110.0 0.0.0.255 eq 80 host 172.18.100.142 log
d) Access from Linux hosts to hosts 172.18.100.5/16 and 172.18.100.142/16
Allow Linux hosts on subnet 192.168.111.0/24 source port 22 to reach hosts 172.18.100.5/16 and 172.18.100.142/16.
2621XM(config-ext-nacl)#permit tcp 192.168.111.0 0.0.0.255 eq 22 host 172.18.100.5 log
2621XM(config-ext-nacl)#permit tcp 192.168.111.0 0.0.0.255 eq 22 host 172.18.100.142 log
e) Allow router 2621XM to synchronize its clock with external NTP server
No action is needed as the router does not filter traffic that it generates itself.
f) Allow sending DNS request to the Belkin router
Allow DNS request to reach Belkin router IP address 172.18.100.1 from the networks behind the router.
2621XM(config-ext-nacl)#permit udp any host 172.18.100.1 eq 53 log
g) Allow transfer of SIP signalization messages between Headquarters CUCM-II and Branch CUCM-I
Allow SIP signalization messages from Headquarters CUCM-II IP address 192.168.200.252 to reach CUCM-II IP address 192.168.100.252 destination TCP port 5060.
2621XM(config-ext-nacl)#permit tcp host 192.168.200.252 host 192.168.100.252 eq 5060 log
Allow SIP signalization messages from Headquarters CUCM-II IP address 192.168.200.252 with source TCP port 5060 to reach CUCM-I IP address 192.168.100.252.
2621XM(config-ext-nacl)#permit tcp host 192.168.200.252 eq 5060 host 192.168.100.252 log
h) Allow RTP streams from Headquarters Cisco IP phones to reach Branch IP phones
Allow UDP traffic from Headquarters voice subnet 192.168.110.0/24 with source UDP ports in range 16384 - 32767 to reach IP phones in Branch voice subnet 192.168.10.0/24 destination UDP ports in range 16384 - 32767.
2621XM(config-ext-nacl)#permit udp 192.168.110.0 0.0.0.255 range 16384 32767 192.168.10.0 0.0.0.255 range 16384 32767 log
i) Allow hosts in Headquarters data subnet to reach host in Branch data subnet
2621XM(config-ext-nacl)#permit ip 192.168.111.0 0.0.0.255 192.168.11.0 0.0.0.255 log
j) Allow ICMP echo and echo-reply messages to reach Branch subnets
2621XM(config-ext-nacl)#permit icmp any any echo log
2621XM(config-ext-nacl)#permit icmp any any echo-reply log
k) Configure implicit deny statement
2621XM(config-ext-nacl)#deny ip any any log
l) Apply named extended access-list out_fa0/0 outbound to the interface FastEthernet0/0
2621XM(config)#interface fastEthernet 0/0
2621XM(config-if)#ip access-group out_fa0/0 out