Info |
---|
These are sample ACLs and should be customized for your specific deployment. |
A typical SBC deployment may have two 'sides'. One side is the LAN-side or the corporate-network side, and the other is the Internet-side, WAN-side or the provider-network side. Neither side should be trusted entirely. ACLs must be configured so that only SIP/VOIP/RTP traffic is allowed on both sides. An additional task is usually to determine the IP interface WebUI/REST management is allowed on. Note |
---|
When configuring ACLs, it is possible to isolate the SBC out of the network. Ensure there are rules in place to accept HTTPS on at least one IP interface. The order of rules in the ACL is important. |
For this example, consider that the Sonus SBC 1000 has two IP interfaces- Ethernet 1 IP: 12.3.10.10/24 (LAN-side, office-side, branch-side, corporate network-side)
- Ethernet 2 IP: 10.1.10.10/24 (SIP trunk side, WAN-side, Provider-side, Internet-side)
LAN Side ACL(For this example, this ACL must be applied to 'Ethernet 1 IP' as "Input ACL") Description | Protocol | Action | Port Selection | Service | Source IP | Source Mask | Source Min Port | Source Max Port | Dest IP | Dest Mask | Dest Min Port | Dest Max Port | Description |
---|
Allow WebUI/HTTPS | TCP | Allow | Service | HTTPS | 0.0.0.0 | 0.0.0.0 | | | 0.0.0.0 | 0.0.0.0 | | | For more security, replace the source IP and mask with the network addresses that is on the LAN-side. Also, consider the subnets used for VPN users of that corporate network. | Allow WebUI/HTTP to redirect to HTTPS | TCP | Allow | Service | HTTP | 0.0.0.0 | 0.0.0.0 | | | 0.0.0.0 | 0.0.0.0 | | | Not strictly required, but this is good for convenience. SBC will redirect all HTTP requests to HTTPS. | Accept SIP Signaling over UDP | UDP | Allow | Range | | 40.1.1.1 | 255.255.255.255 | 1024 | 65535 | 0.0.0.0 | 0.0.0.0 | 5060 | 5060 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 40.1.1.1 is an IP-PBX that supports SIP over UDP. | Accept SIP Signaling over TCP and TLS | TCP | Allow | Range | | 50.1.1.2 | 255.255.255.255 | 1024 | 65535 | 0.0.0.0 | 0.0.0.0 | 5067 | 5067 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 50.1.1.2 is a Lync Mediation Server that supports SIP over TLS. | Accept SIP Signaling TCP and TLS ACKs | TCP | Allow | Range | | 50.1.1.2 | 255.255.255.255 | 5067 | 5067 | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | Create one rule for every SIP server. This rule allows the TCP ACKs to return to the SBC. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 50.1.1.2 is a Lync mediation server that supports SIP over TLS. | Accept RTP/RTCP packets | UDP | Allow | Range | | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | 0.0.0.0 | 0.0.0.0 | 16384 | 17583 | Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC. | Accept DNS responses | UDP | Allow | Range | | 0.0.0.0 | 0.0.0.0 | 53 | 53 | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | Accept DNS responses for all DNS_requests initiated by the SBC. | Discard all other packets | ANY | Deny | | | 0.0.0.0 | 0.0.0.0 | | | 0.0.0.0 | 0.0.0.0 | | | Discard all other packets. | | | | | | | | | | | | | | (Destination IP and mask may be replaced with a specific IP address of 12.3.10.10/255.255.255.255, for ensuring all communications only use that specific IP address. ) |
SIP Trunk Side ACL(For this example, this ACL must be applied to 'Ethernet 2 IP' as "Input ACL") Description | Protocol | Action | Port Selection | Source IP | Source Mask | Source Min Port | Source Max Port | Dest IP | Dest Mask | Dest Min Port | Dest Max Port | Description |
---|
Accept SIP Signaling over UDP | UDP | Allow | Range | 20.5.1.20 | 255.255.255.255 | 1024 | 65535 | 10.1.10.10 | 255.255.255.255 | 5060 | 5060 | Create one rule for every SIP protocol/port combination on the SBC, based on all Signaling Groups. Source IP and mask, must match what is configured on the Federated-IP network as well. In this example, perhaps 20.5.1.20 is the IP address of the SIP-trunk peer. | Accept RTP/RTCP packets | UDP | Allow | Range | 20.5.1.20 | 255.255.255.255 | 1024 | 65535 | 10.1.10.10 | 255.255.255.255 | 16384 | 17583 | Accept all RTP/SRTP packets. Note that the port-range must match that of Media System Configuration on the SBC. | Accept DNS responses | UDP | Allow | Range | 0.0.0.0 | 0.0.0.0 | 53 | 53 | 0.0.0.0 | 0.0.0.0 | 1024 | 65535 | Accept DNS responses for all DNS_requests initiated by the SBC. | Discard all other packets | ANY | Deny | | 0.0.0.0 | 0.0.0.0 | | | 0.0.0.0 | 0.0.0.0 | | | Discard all other packets. | | | | | | | | | | | | | (Destination IP and mask may be replaced with a specific IP address of the SBC on the SIP-trunk side). |
|