I want to put the NV644 directly on the public internet and restrict traffic to specific IP addresses. (SIP server and management)
Here is my config:
ip access-list extended AllowAll
permit ip host <ip address of SIP Server> any
permit ip host <management IP> any
ip policy-class Public
allow list AllowAll self
interface gigabit-eth 0/1
ip address <ip address of NV> 255.255.255.0
ip access-policy Public
media-gateway ip primary
When I activate the firewall I get the following error:
644(config)#ip firewall
The firewall is only supported for VQM. Any other configuration is not supported.
Does this mean the NV644 does not support the configuration above?
My mistake. All the access-lists must be standard for this. Also, the word "in" must be used referencing the access-class. I also changed the ACL name for access to the unit:
ip access-list standard SIP
permit host <ip address of SIP Server>
ip sip access-class SIP in
For HTTP(S), Telnet, and/or SSH make your access list:
ip access-list standard Access
permit host <management IP>
To apply, go into Line Telnet and/or SSH:
ip access-class Access in
To apply for HTTP/HTTPS use these global commands:
http ip access-class Access in
http ip secure-access-class Access in
Regards,
Geoff
Hello and thank you for posting to our forum!
While many AOS commands are there, the NV644 is designed to sit behind a firewall. It may very well do what you have listed but I cannot guarantee the performance. The NV6240 is another option. Keep in mind that you can have 60 active calls in the Dual DSP version and 30 in the Single DSP version of the NV6240.
Let us know if you have any questions.
Regards,
Geoff
I think the best thing to do is use a sip, http, https, telnet, and/or ssh access-class to restrict traffic/users. This allows you to accomplish the same thing WITHOUT using the firewall. You application will then be well within the scope of how this unit was tested.
You need to make standard or extended access-lists, but we will not be applying them on a policy-class. For sip you can use something like your access-list and apply it to a sip access class:
ip access-list extended SIP
permit ip host <ip address of SIP Server> any
To apply, use the global command:
ip sip access-class SIP in
For HTTP(S), Telnet, and/or SSH make your access list:
ip access-list extended Access_In
permit ip host <management IP> any
To apply, go into Line Telnet and/or SSH:
ip access-class Access_In
To apply for HTTP/HTTPS use these global commands:
http ip access-class Access_In
http ip secure-access-class Access_In
These commands can be used for the TA 900(e)s, NV 644s, and NV 6000 series.
Regards,
Geoff
There are few problems with the suggested config:
1) You can't apply an extended access list to the sip access-class (a standard access list works so this is not a big deal)
2) I'm getting an error adding the ACL to http
644(config)#ip access-list standard Access_In
Configuring Existing Standard ACL "Access_In"
644(config-std-nacl)#permit 192.168.1.199
644(config-std-nacl)#exit
644(config)#http ip access-class Access_In in
%---------------------------------^
Access control list 'Access_In' does not exist.
3) ip doesnt have "access-class"
644(config)#ip
access-list - Named access-list
classless - Adhere to classless forwarding rules
My mistake. All the access-lists must be standard for this. Also, the word "in" must be used referencing the access-class. I also changed the ACL name for access to the unit:
ip access-list standard SIP
permit host <ip address of SIP Server>
ip sip access-class SIP in
For HTTP(S), Telnet, and/or SSH make your access list:
ip access-list standard Access
permit host <management IP>
To apply, go into Line Telnet and/or SSH:
ip access-class Access in
To apply for HTTP/HTTPS use these global commands:
http ip access-class Access in
http ip secure-access-class Access in
Regards,
Geoff
It still doesn't work.
644(config)#ip access-list standard Access
Configuring New Standard ACL "Access"
644(config-std-nacl)#permit host 192.168.1.199
644(config-std-nacl)#exit
644(config)#ip access-class Access in
% Unrecognized command
Are you in line telnet or line ssh when you are issuing the command:
ip access-class Access in
Regards,
Geoff
I am connected through the serial port.
Sorry, I am not referring to how you are accessing the unit, but the configuration area for Telnet and SSH from the command line. Let me be more specific. You will need to be in global config mode. Then go to the config for Telnet:
line telnet 0 4
Then enter the command:
ip access-class Access in
Then exit out back to global config mode and enter the config for SSH:
line ssh 0 4
Then enter the command:
ip access-class Access in
Regards,
Geoff