6 Replies Latest reply on Aug 3, 2018 1:26 PM by markfreeman

    firewall filter source ip address

    mtr New Member

      HI

       

      I have a 908e sitting on the public WAN  with no firewall

       

      can i set up to only accept traffic from 1 IP address (my DID provider) and drop all other connections and if yes where do i do that ?

       

      will that effect outgoing calls that we have more providers?

       

      the outgoing call are doming from the T1 port and going out on the WAN, typical on firewall i have used before in boind rulles do not affect traffic origianted from inside but i never worked with the adtran firewall before

        • Re: firewall filter source ip address
          markfreeman Employee

          Moshe,

          I assume this is the same TA 900 that you just added the public IP to.

           

          I would not leave it sitting on public internet without Firewall on.

           

          What you want to do it turn on firewall and only allow Public IP of your softswitch.  For outbound it doesn't matter since we are initiating the call and we will open the return ports. For incoming though we only want to allow IPs from your known softswitch and no one else.

           

          You might want to apply this locally when on site in case you get locked out of unit.

          here is configuration that you can modify and paste into global config mode (config)#

          -you can change admin access to telnet or leave ssh

          -if your softswitch has multiple IPs then just add additional lines in the SIP access-list

           

          ip firewall

          ip firewall stealth

          !

          ip access-list extended Admin

            remark Admin Access

            permit tcp any  any eq ssh   log

          !

          ip access-list extended SIP

            remark SIP Service Provider

            permit udp host X.X.X.X  any eq 5060

          !

          ip policy-class Public

            allow list Admin self

            allow list SIP self

          !

          interface eth 0/1

             ip access-policy Public

           

           

          Let me know if you have any questions.

           

          -Mark