cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Valued Contributor
Valued Contributor

Firewall on the NetVanta 644

Jump to solution

I want to put the NV644 directly on the public internet and restrict traffic to specific IP addresses. (SIP server and management)

Here is my config:

ip access-list extended AllowAll

  permit ip host <ip address of SIP Server>  any   

  permit ip host <management IP>  any

ip policy-class Public

  allow list AllowAll self

interface gigabit-eth 0/1

  ip address  <ip address of NV>  255.255.255.0

  ip access-policy Public

  media-gateway ip primary

When I activate the firewall I get the following error:

644(config)#ip firewall

The firewall is only supported for VQM.  Any other configuration is not supported.

Does this mean the NV644 does not support the configuration above?

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Contributor III
Contributor III

Re: Firewall on the NetVanta 644

Jump to solution

My mistake.  All the access-lists must be standard for this.  Also, the word "in" must be used referencing the access-class.  I also changed the ACL name for access to the unit:

ip access-list standard SIP

  permit host <ip address of SIP Server> 

  ip sip access-class SIP in

 

For HTTP(S), Telnet, and/or SSH make your access list:

ip access-list standard Access

  permit  host <management IP>

To apply, go into Line Telnet and/or SSH:

ip access-class Access in

To apply for HTTP/HTTPS use these global commands:

http ip access-class Access in

http ip secure-access-class Access in

Regards,

Geoff

View solution in original post

0 Kudos
8 Replies
Highlighted
Contributor III
Contributor III

Re: Firewall on the NetVanta 644

Jump to solution

Hello and thank you for posting to our forum!

While many AOS commands are there, the NV644 is designed to sit behind a firewall.  It may very well do what you have listed but I cannot guarantee the performance.  The NV6240 is another option.  Keep in mind that you can have  60 active calls in the Dual DSP version and 30 in the Single DSP version of the NV6240.

Let us know if you have any questions.

Regards,

Geoff

Highlighted
Contributor III
Contributor III

Re: Firewall on the NetVanta 644

Jump to solution

I think the best thing to do is use a sip, http, https, telnet, and/or ssh access-class to restrict traffic/users.  This allows you to accomplish the same thing WITHOUT using the firewall.  You application will then be well within the scope of how this unit was tested.

You need to make standard or extended access-lists, but we will not be applying them on a policy-class.  For sip you can use something like your access-list and apply it to a sip access class:

ip access-list extended SIP

  permit ip host <ip address of SIP Server>  any  

To apply, use the global command:

ip sip access-class SIP in

For HTTP(S), Telnet, and/or SSH make your access list:

ip access-list extended Access_In

  permit ip host <management IP>  any

To apply, go into Line Telnet and/or SSH:

ip access-class Access_In

To apply for HTTP/HTTPS use these global commands:

http ip access-class Access_In

http ip secure-access-class Access_In

These commands can be used for the TA 900(e)s, NV 644s, and NV 6000 series.

Regards,

Geoff

Highlighted
Valued Contributor
Valued Contributor

Re: Firewall on the NetVanta 644

Jump to solution

There are few problems with the suggested config:

1) You can't apply an extended access list to the sip access-class (a standard access list works so this is not a big deal)

2) I'm getting an error adding the ACL to http

644(config)#ip access-list standard Access_In

Configuring Existing Standard ACL "Access_In"

644(config-std-nacl)#permit 192.168.1.199

644(config-std-nacl)#exit

644(config)#http ip access-class  Access_In in

%---------------------------------^

Access control list 'Access_In' does not exist.

3) ip doesnt have "access-class"

644(config)#ip

access-list            - Named access-list

classless              - Adhere to classless forwarding rules

Highlighted
Contributor III
Contributor III

Re: Firewall on the NetVanta 644

Jump to solution

My mistake.  All the access-lists must be standard for this.  Also, the word "in" must be used referencing the access-class.  I also changed the ACL name for access to the unit:

ip access-list standard SIP

  permit host <ip address of SIP Server> 

  ip sip access-class SIP in

 

For HTTP(S), Telnet, and/or SSH make your access list:

ip access-list standard Access

  permit  host <management IP>

To apply, go into Line Telnet and/or SSH:

ip access-class Access in

To apply for HTTP/HTTPS use these global commands:

http ip access-class Access in

http ip secure-access-class Access in

Regards,

Geoff

View solution in original post

0 Kudos
Highlighted
Valued Contributor
Valued Contributor

Re: Firewall on the NetVanta 644

Jump to solution

It still doesn't work.

644(config)#ip access-list standard Access

Configuring New Standard ACL "Access"

644(config-std-nacl)#permit host 192.168.1.199

644(config-std-nacl)#exit

644(config)#ip access-class Access in

% Unrecognized command

Highlighted
Contributor III
Contributor III

Re: Firewall on the NetVanta 644

Jump to solution

Are you in line telnet or line ssh when you are issuing the command:

ip access-class Access in


Regards,

Geoff

Highlighted
Valued Contributor
Valued Contributor

Re: Firewall on the NetVanta 644

Jump to solution

I am connected through the serial port.

Highlighted
Contributor III
Contributor III

Re: Firewall on the NetVanta 644

Jump to solution

Sorry, I am not referring to how you are accessing the unit, but the configuration area for Telnet and SSH from the command line.  Let me be more specific.  You will need to be in global config mode.  Then go to the config for Telnet:

line telnet 0 4

Then enter the command:

ip access-class Access in

Then exit out back to global config mode and enter the config for SSH:

line ssh 0 4

Then enter the command:

ip access-class Access in

Regards,

Geoff