Recently I needed to install a small Cisco 2811 Router in front on my Lync 2013 setup as the Mediation/FrontEnd server didnt like the 1:1 NAT and the Cisco IOS would either cause a 1 way audio or no call connection so I decided on this route.

I have a layer 2 switch which has the internet feed, Main Firewall feed and a feed going to port F0/0 on the 2811.

I basically am going to create a bridge between F0/0 and F0/1 and enable inspection and some access-lists in order to protect the SIP Trunk.

Create the Bridge Group:
Router(config)# bridge 1 irb
Router(config)# bridge 1 protocol ieee

Assign Interfaces to Bridge Group:
Router(config)# interface f0/0
Router(config-if)# bridge-group 1

Router(config)# interface f0/1
Router(config-if)# bridge-group 1

You can create the Bridge Virtual Interface but I haven’t

Router(config)# interface bvi 1
Router(config-if)# ip address 10.20.0.200 255.255.255.0
Router(config-if)# no shut

Router(config)# sh bridge group

Bridge Group 1 is running the IEEE compatible Spanning Tree protocol

Port 2 (FastEthernet0/0) of bridge group 1 is forwarding
Port 3 (FastEthernet0/1) of bridge group 1 is forwarding

Inspection Configuration

Router(config)#  ip inspect name LYNC-IN tcp
Router(config)#  ip inspect name LYNC-IN udp
Router(config)#  ip inspect name LYNC-IN icmp

Create ACL (permit ip any any is just for show put in what you need)

Router(config)# ip access-list extended LYNC-IN
Router(config-ext-nacl)# permit ip any any

My first draft ACL was like this as X.X.X.X is my SIP provider and I wanted to block 5060 tcp/udp from everywhere else.

Extended IP access list LYNC-IN
10 permit tcp host X.X.X.X any eq 5060 (179 matches)
20 permit udp host X.X.X.X any range 20000 60000 (8438 matches)
180 deny tcp any any eq 5060
181 deny udp any any eq 5060 (26 matches)
200 permit ip any any (475520 matches)

Now Apply to the Interface: (F0/0 is my external Interface)

interface FastEthernet0/0
description **INTERNET FACING – PUBLIC IP**
no ip address
ip access-group LYNC-IN in
ip inspect LYNC-IN in
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
end

interface FastEthernet0/1
description **WIZLYNC13 – Server**
no ip address
ip virtual-reassembly in
duplex auto
speed auto
bridge-group 1
end

I have used this example specifically to secure a Lync 2013 Mediation server but a Transparent IOS Firewall can be used for many purposed.

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *