I assume this is the same TA 900 that you just added the public IP to.
I would not leave it sitting on public internet without Firewall on.
What you want to do it turn on firewall and only allow Public IP of your softswitch. For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.
You might want to apply this locally when on site in case you get locked out of unit.
here is configuration that you can modify and paste into global config mode (config)#
-you can change admin access to telnet or leave ssh
-if your softswitch has multiple IPs then just add additional lines in the SIP access-list
ip firewall stealth
ip access-list extended Admin
remark Admin Access
permit tcp any any eq ssh log
ip access-list extended SIP
remark SIP Service Provider
permit udp host X.X.X.X any eq 5060
ip policy-class Public
allow list Admin self
allow list SIP self
interface eth 0/1
ip access-policy Public
Let me know if you have any questions.
Thank you So much
you are a real help, i am doing networking for 18 years but this SIP stuff is very new to me and confusing but i am really getting there
i was not sure how the firewall works, and thanks for your answer that i do not need to worry on internal originated traffic (like the other firewalls)
i will report back about the firewal
Re: the outbound NAT i did need it to script my soft-switch in order to get it to work, another strange behavior that i had with outbound what the my switch got ":5060:5060" in the server address i wrote a script to remove that duplicated port
the only mistake i had was
that i was thinking that "permit tcp any any eq ssh" that this will know on which port my SSH service runs, but it didnt it only opened 22 while i had a random port, adtran translate ssh into 22
but i fixed it
good deal! Glad all is working.
Let us know if we can help out with anything else!
Sure thing Moshe!
i replied. I was letting Jay take a stab at it first.