cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mtr
New Contributor

firewall filter source ip address

Jump to solution

HI

I have a 908e sitting on the public WAN  with no firewall

can i set up to only accept traffic from 1 IP address (my DID provider) and drop all other connections and if yes where do i do that ?

will that effect outgoing calls that we have more providers?

the outgoing call are doming from the T1 port and going out on the WAN, typical on firewall i have used before in boind rulles do not affect traffic origianted from inside but i never worked with the adtran firewall before

0 Kudos
1 Solution

Accepted Solutions
markfreeman
Valued Contributor II
Valued Contributor II

Re: firewall filter source ip address

Jump to solution

Moshe,

I assume this is the same TA 900 that you just added the public IP to.

I would not leave it sitting on public internet without Firewall on.

What you want to do it turn on firewall and only allow Public IP of your softswitch.  For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.

You might want to apply this locally when on site in case you get locked out of unit.

here is configuration that you can modify and paste into global config mode (config)#

-you can change admin access to telnet or leave ssh

-if your softswitch has multiple IPs then just add additional lines in the SIP access-list

ip firewall

ip firewall stealth

!

ip access-list extended Admin

  remark Admin Access

  permit tcp any  any eq ssh   log

!

ip access-list extended SIP

  remark SIP Service Provider

  permit udp host X.X.X.X  any eq 5060

!

ip policy-class Public

  allow list Admin self

  allow list SIP self

!

interface eth 0/1

   ip access-policy Public

Let me know if you have any questions.

-Mark

View solution in original post

0 Kudos
6 Replies
markfreeman
Valued Contributor II
Valued Contributor II

Re: firewall filter source ip address

Jump to solution

Moshe,

I assume this is the same TA 900 that you just added the public IP to.

I would not leave it sitting on public internet without Firewall on.

What you want to do it turn on firewall and only allow Public IP of your softswitch.  For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.

You might want to apply this locally when on site in case you get locked out of unit.

here is configuration that you can modify and paste into global config mode (config)#

-you can change admin access to telnet or leave ssh

-if your softswitch has multiple IPs then just add additional lines in the SIP access-list

ip firewall

ip firewall stealth

!

ip access-list extended Admin

  remark Admin Access

  permit tcp any  any eq ssh   log

!

ip access-list extended SIP

  remark SIP Service Provider

  permit udp host X.X.X.X  any eq 5060

!

ip policy-class Public

  allow list Admin self

  allow list SIP self

!

interface eth 0/1

   ip access-policy Public

Let me know if you have any questions.

-Mark

View solution in original post

0 Kudos
mtr
New Contributor

Re: firewall filter source ip address

Jump to solution

Thank you So much

you are a real help, i am doing networking for 18 years but this SIP stuff is very new to me and confusing but i am really getting there

i was not sure how the firewall works, and thanks for your answer that i do not need to worry on internal originated traffic (like the other firewalls)

i will report back about the firewal

Re: the outbound NAT i did need it to script my soft-switch in order to get it to work, another strange behavior that i had with outbound what the my switch got ":5060:5060" in the server address i wrote a script to remove that duplicated port

mtr
New Contributor

Re: firewall filter source ip address

Jump to solution

works great

the only mistake i had was

that i was thinking that "permit tcp any  any eq ssh" that this will know on which port my SSH service runs, but it didnt it only opened 22 while i had a random port, adtran translate ssh into 22

but i fixed it

markfreeman
Valued Contributor II
Valued Contributor II

Re: firewall filter source ip address

Jump to solution

good deal!  Glad all is working.

Let us know if we can help out with anything else!

-Mark

mtr
New Contributor

Re: firewall filter source ip address

Jump to solution

Mark

you ware pretty good with helping me in the past

can you take a look on this one

Bad From header when sending to freeswitch

markfreeman
Valued Contributor II
Valued Contributor II

Re: firewall filter source ip address

Jump to solution

Sure thing Moshe!

i replied. I was letting Jay take a stab at it first.

-Mark