[cisco-voip] Locking down External interface with ACL
Corbett Enders
cenders at homesbyavi.com
Fri Jan 9 16:27:36 EST 2009
Hi Listers,
Further to my VoiP SIP hack that I experienced, I'm going to use the following ACL to lock down our external interface. However, my remote sites are on a DHCP internet service. Rather than code in the dynamic external IP address, can I instead, reference the f0/0 specifically in the ACL? The stuff in ( ) below is what will be replaced with real info. Will using f0/0 work?
---------------------------
ip access-list extended OUTSIDE_IN
permit tcp host (head office external IP) host (outside IP address) eq 22 log
permit tcp host (head office external IP) host (outside IP address) eq 23 log
permit ahp host (head office external IP) host (outside IP address)
permit esp host (head office external IP) host (outside IP address)
permit udp host (head office external IP) host (outside IP address) eq isakmp
permit icmp host (head office external IP) any echo-reply
permit icmp host (isp) host (outside IP address)
permit ip host (cm01) (local voice subnet)
permit ip host (cm02) (local voice subnet)
deny ip any any
int f0/0
ip access-group OUTSIDE_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
no mop enabled
---------------------------
Corbett Enders
Network Manager
Homes by Avi - 2007 Canadian Builder of the Year.
Tel: (403) 536-7170
Fax: (403) 536-7171
www.homesbyavi.com<http://www.homesbyavi.com>
ü Please consider the environment before printing this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090109/7abd63b3/attachment.html>
More information about the cisco-voip
mailing list