In this section:
For a SIP Trunking configuration, use the following guidelines when creating ACL rules:
Allow unlimited traffic
This rule allows unlimited traffic from "10.35.66.187" (the IP address of the far end in this example). This IP address would also be an IP Peer, and in the trunk group ingress IP prefix) to destination port 5060.
% set addressContext "default" ipAccessControlList rule "WHITELIST_PEER_01" precedence "1000" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" sourceIpAddress "10.35.66.187" sourceAddressPrefixLength "32" destinationPort "5060" state "enabled"
Block all traffic not explicitly allowed
As its name implies, this rule blocks all traffic that is not explicitly allowed. Enable the ACLs in order of precedence. So in this example, this ACL should be the last one enabled.
% set addressContext "default" ipAccessControlList rule "DENYALL_UNTRUST" precedence "65015" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"
In the above examples, the precedence of WHITELIST_PEER_01 is a lower value than DENYALL_UNTRUST. This causes WHITELIST_PEER_01 to take precedence over DENYALL_UNTRUST, which allows traffic from 10.35.66.187 to be accepted by the SBC.
For a SIP Access configuration, you do not manually "white list" the IP address of all the phones that will register (since the address may change and there are so many). Instead, create a rule that allows traffic destined for the SIP Port of the SBC.
Summary of Steps Needed:
Allow traffic from any IP address destined for this SIP port
This rule is an example for Step #1, where 10.35.66.143 is the SBC SIP Port IP address that phones register with, and 5060 is port.
% set addressContext "default" ipAccessControlList rule "ALLOW_SIP_PORT_ACCESS" precedence "1001" protocol "udp" ipInterfaceGroup "EXTERNAL.IPIG" destinationIpAddress "10.35.66.143" destinationPort "5060"
Block everything else
This rule is an example for Step #2 in summary above. Enable the ACLs in order of precedence. So in this example, this ACL should be the last one enabled.
% set addressContext "default" ipAccessControlList rule "DENYALL_ACCESS" precedence "65020" ipInterfaceGroup "EXTERNAL.IPIG" action "discard"
You may wish to allow some ICMP traffic. This can be useful for network debugging situations. Also, if you have the SBC Link Detection feature enabled with Ping Targets, then you must allow Ping traffic. Make sure this has a lower precedence value than your "discard all" rule.
Allow some ICMP (ping) traffic
This rule allows a small amount of ICMP traffic.
% set addressContext "default" ipAccessControlList rule "AllowICMP_UNTRUST" precedence "64985" protocol "icmp" ipInterfaceGroup "EXTERNAL.IPIG" fillRate "10" bucketSize "10" state "enabled"