HI
I have a 908e sitting on the public WAN with no firewall
can i set up to only accept traffic from 1 IP address (my DID provider) and drop all other connections and if yes where do i do that ?
will that effect outgoing calls that we have more providers?
the outgoing call are doming from the T1 port and going out on the WAN, typical on firewall i have used before in boind rulles do not affect traffic origianted from inside but i never worked with the adtran firewall before
Moshe,
I assume this is the same TA 900 that you just added the public IP to.
I would not leave it sitting on public internet without Firewall on.
What you want to do it turn on firewall and only allow Public IP of your softswitch. For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.
You might want to apply this locally when on site in case you get locked out of unit.
here is configuration that you can modify and paste into global config mode (config)#
-you can change admin access to telnet or leave ssh
-if your softswitch has multiple IPs then just add additional lines in the SIP access-list
ip firewall
ip firewall stealth
!
ip access-list extended Admin
remark Admin Access
permit tcp any any eq ssh log
!
ip access-list extended SIP
remark SIP Service Provider
permit udp host X.X.X.X any eq 5060
!
ip policy-class Public
allow list Admin self
allow list SIP self
!
interface eth 0/1
ip access-policy Public
Let me know if you have any questions.
-Mark
Moshe,
I assume this is the same TA 900 that you just added the public IP to.
I would not leave it sitting on public internet without Firewall on.
What you want to do it turn on firewall and only allow Public IP of your softswitch. For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.
You might want to apply this locally when on site in case you get locked out of unit.
here is configuration that you can modify and paste into global config mode (config)#
-you can change admin access to telnet or leave ssh
-if your softswitch has multiple IPs then just add additional lines in the SIP access-list
ip firewall
ip firewall stealth
!
ip access-list extended Admin
remark Admin Access
permit tcp any any eq ssh log
!
ip access-list extended SIP
remark SIP Service Provider
permit udp host X.X.X.X any eq 5060
!
ip policy-class Public
allow list Admin self
allow list SIP self
!
interface eth 0/1
ip access-policy Public
Let me know if you have any questions.
-Mark
Thank you So much
you are a real help, i am doing networking for 18 years but this SIP stuff is very new to me and confusing but i am really getting there
i was not sure how the firewall works, and thanks for your answer that i do not need to worry on internal originated traffic (like the other firewalls)
i will report back about the firewal
Re: the outbound NAT i did need it to script my soft-switch in order to get it to work, another strange behavior that i had with outbound what the my switch got ":5060:5060" in the server address i wrote a script to remove that duplicated port
works great
the only mistake i had was
that i was thinking that "permit tcp any any eq ssh" that this will know on which port my SSH service runs, but it didnt it only opened 22 while i had a random port, adtran translate ssh into 22
but i fixed it
good deal! Glad all is working.
Let us know if we can help out with anything else!
-Mark
Mark
you ware pretty good with helping me in the past
can you take a look on this one
Sure thing Moshe!
i replied. I was letting Jay take a stab at it first.
-Mark