I am learning to program Netvanta 3120 and 3130 devices on the fly, and am trying to figure out how to put a filter in place. I have port forwarding (firewall?) rules in place to forward UDP port 5060 to a LAN IP address in our PBX for SIP trunking, and everything seems to be working, calls work inbound and outbound. The trouble I'm having is we get unauthorized SIP traffic on UDP port 5060 from other than the SIP provider. How do I set the port forwarding / firewall rules to allow traffic from a specific public IP address, yet block other WAN traffic on 5060 from being forwarded. Any help will be greatly appreciated.
- Thanks for posting your question on the forum!
When you setup a security zone/policy-class and assign it to an interface, then ONLY the traffic specified by that access-policy/security zone will be allowed to come in on that interface. I think in your situation, you will want to specify a source address that your SIP traffic will be coming from. In the CLI, the ACL would have to be modified in the following format:
permit udp <source IP> <destination IP> eq 5060
In the web interface, you will need to click on your port forward rule, and scroll to the bottom where the traffic selectors are listed. You may notice that your source network is currently set to any. If you click on "permit", this will take you to a new configuration page where you will be allowed to input a source IP that your SIP traffic will be coming from.
You may find the following documents helpful as well:
Understanding the Firewall Menu in the AOS Web Interface
[video] Configuring a Port Forward in AOS (NetVanta)
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
- Thanks for posting your question on the forum!
When you setup a security zone/policy-class and assign it to an interface, then ONLY the traffic specified by that access-policy/security zone will be allowed to come in on that interface. I think in your situation, you will want to specify a source address that your SIP traffic will be coming from. In the CLI, the ACL would have to be modified in the following format:
permit udp <source IP> <destination IP> eq 5060
In the web interface, you will need to click on your port forward rule, and scroll to the bottom where the traffic selectors are listed. You may notice that your source network is currently set to any. If you click on "permit", this will take you to a new configuration page where you will be allowed to input a source IP that your SIP traffic will be coming from.
You may find the following documents helpful as well:
Understanding the Firewall Menu in the AOS Web Interface
[video] Configuring a Port Forward in AOS (NetVanta)
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
Thank you for your help Noor! I edited the forwarding rule as you explained, and have asked my customer to monitor for any further errant SIP traffic coming in to the PBX.
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor