I work for a small software company who is deploying Cisco 800 series routers (877 in particular) to setup VPNs between our customers' stores. Lucky me, I have been assigned the task of configuring these beasts. Anyhow, one of our customers has recently been in the process of having IP phones setup at their premises. Needless to say, since my company installed the router, I have been working with their local telecom in an attempt to add the necessary ACL rules to get the phones to work properly. However, this has been much more difficult than I first anticipated. I thought this would be as simple as adding an allow udp established type rule. But, obviously, I should have know better. There is no state with a UDP stream! Hence, the only way I can get this to work is by writing really ugly rules allowing lots of incoming UDP traffic on multiple ports. Pretty much no outbound traffic is being denied and I have been told the following ports need to be opened up inbound:
Port 69 for TFTP Port 5060 for SIP Ports 10000-20000 for RTP media stream Port 123 for NTP
Hence, I initially created some rules like this:
access-list 101 permit udp any eq tftp any access-list 101 permit udp any eq 5060 any access-list 101 permit udp any range 10000 20000 any access-list 101 permit upd any eq ntp any
I was told that the traffic could be coming in on multiple IP addresses, so I couldn't specify a particular host in any of the ACL's.
So, that is the background of this quagmire I am in. Apparently, the telcom guys are still experiencing problems. They say that they cannot hear the incoming audio stream. I don't see why this would be happening, but I am no expert. Are there any horrible security implications of opening up a slew of udp ports with a rule like: access-list 101 permit udp any gt 1023 any? I obviously do not want to cause any sort of security problems if at all possible. Also, I came across something briefly that was called, I believe, a reflexive (?) ACL. It provided a way of allowing specified inbound traffic after seeing traffic leaving on a particular port. Is something like this possible on the Cisco 877? Well, I hope this all made some sort of sense. Any help or comments would be appreciated. Thanks!
-Vincent