4 Replies Latest reply on May 10, 2018 8:31 AM by markfreeman

    firewall filter source ip address

    mtr New Member

      HI

       

      I have a 908e sitting on the public WAN  with no firewall

       

      can i set up to only accept traffic from 1 IP address (my DID provider) and drop all other connections and if yes where do i do that ?

       

      will that effect outgoing calls that we have more providers?

       

      the outgoing call are doming from the T1 port and going out on the WAN, typical on firewall i have used before in boind rulles do not affect traffic origianted from inside but i never worked with the adtran firewall before

        • Re: firewall filter source ip address
          markfreeman Employee

          Moshe,

          I assume this is the same TA 900 that you just added the public IP to.

           

          I would not leave it sitting on public internet without Firewall on.

           

          What you want to do it turn on firewall and only allow Public IP of your softswitch.  For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.

           

          You might want to apply this locally when on site in case you get locked out of unit.

          here is configuration that you can modify and paste into global config mode (config)#

          -you can change admin access to telnet or leave ssh

          -if your softswitch has multiple IPs then just add additional lines in the SIP access-list

           

          ip firewall

          ip firewall stealth

          !

          ip access-list extended Admin

            remark Admin Access

            permit tcp any  any eq ssh   log

          !

          ip access-list extended SIP

            remark SIP Service Provider

            permit udp host X.X.X.X  any eq 5060

          !

          ip policy-class Public

            allow list Admin self

            allow list SIP self

          !

          interface eth 0/1

             ip access-policy Public

           

           

          Let me know if you have any questions.

           

          -Mark

            • Re: firewall filter source ip address
              mtr New Member

              Thank you So much

               

              you are a real help, i am doing networking for 18 years but this SIP stuff is very new to me and confusing but i am really getting there

               

              i was not sure how the firewall works, and thanks for your answer that i do not need to worry on internal originated traffic (like the other firewalls)

               

              i will report back about the firewal

               

               

              Re: the outbound NAT i did need it to script my soft-switch in order to get it to work, another strange behavior that i had with outbound what the my switch got ":5060:5060" in the server address i wrote a script to remove that duplicated port

              • Re: firewall filter source ip address
                mtr New Member

                works great

                 

                the only mistake i had was

                 

                that i was thinking that "permit tcp any  any eq ssh" that this will know on which port my SSH service runs, but it didnt it only opened 22 while i had a random port, adtran translate ssh into 22

                 

                but i fixed it