8 Replies Latest reply on Dec 10, 2012 2:33 PM by geo

    Firewall on the NetVanta 644

    unified Past_Featured_Member

      I want to put the NV644 directly on the public internet and restrict traffic to specific IP addresses. (SIP server and management)

       

      Here is my config:

       

      ip access-list extended AllowAll

        permit ip host <ip address of SIP Server>  any   

        permit ip host <management IP>  any

       

      ip policy-class Public

        allow list AllowAll self

       

      interface gigabit-eth 0/1

        ip address  <ip address of NV>  255.255.255.0

        ip access-policy Public

        media-gateway ip primary

       

       

      When I activate the firewall I get the following error:

      644(config)#ip firewall

      The firewall is only supported for VQM.  Any other configuration is not supported.

       

      Does this mean the NV644 does not support the configuration above?

        • Re: Firewall on the NetVanta 644
          geo Employee

          Hello and thank you for posting to our forum!

           

          While many AOS commands are there, the NV644 is designed to sit behind a firewall.  It may very well do what you have listed but I cannot guarantee the performance.  The NV6240 is another option.  Keep in mind that you can have  60 active calls in the Dual DSP version and 30 in the Single DSP version of the NV6240.

           

          Let us know if you have any questions.

           

          Regards,

          Geoff

          • Re: Firewall on the NetVanta 644
            geo Employee

            I think the best thing to do is use a sip, http, https, telnet, and/or ssh access-class to restrict traffic/users.  This allows you to accomplish the same thing WITHOUT using the firewall.  You application will then be well within the scope of how this unit was tested.

             

            You need to make standard or extended access-lists, but we will not be applying them on a policy-class.  For sip you can use something like your access-list and apply it to a sip access class:

            ip access-list extended SIP

              permit ip host <ip address of SIP Server>  any  

             

            To apply, use the global command:

            ip sip access-class SIP in

             

             

            For HTTP(S), Telnet, and/or SSH make your access list:

            ip access-list extended Access_In

              permit ip host <management IP>  any

             

            To apply, go into Line Telnet and/or SSH:

            ip access-class Access_In

             

            To apply for HTTP/HTTPS use these global commands:

            http ip access-class Access_In

            http ip secure-access-class Access_In

             

            These commands can be used for the TA 900(e)s, NV 644s, and NV 6000 series.

             

            Regards,

            Geoff

              • Re: Firewall on the NetVanta 644
                unified Past_Featured_Member

                There are few problems with the suggested config:

                1) You can't apply an extended access list to the sip access-class (a standard access list works so this is not a big deal)

                2) I'm getting an error adding the ACL to http

                644(config)#ip access-list standard Access_In

                Configuring Existing Standard ACL "Access_In"

                644(config-std-nacl)#permit 192.168.1.199

                644(config-std-nacl)#exit

                644(config)#http ip access-class  Access_In in

                %---------------------------------^

                Access control list 'Access_In' does not exist.

                 

                3) ip doesnt have "access-class"

                644(config)#ip

                access-list            - Named access-list

                classless              - Adhere to classless forwarding rules

                  • Re: Firewall on the NetVanta 644
                    geo Employee

                    My mistake.  All the access-lists must be standard for this.  Also, the word "in" must be used referencing the access-class.  I also changed the ACL name for access to the unit:

                     

                    ip access-list standard SIP

                      permit host <ip address of SIP Server> 

                      ip sip access-class SIP in

                     

                    For HTTP(S), Telnet, and/or SSH make your access list:

                    ip access-list standard Access

                      permit  host <management IP>

                    To apply, go into Line Telnet and/or SSH:

                    ip access-class Access in

                     

                    To apply for HTTP/HTTPS use these global commands:

                    http ip access-class Access in

                    http ip secure-access-class Access in

                     

                    Regards,

                    Geoff