Specifications
Appendix B: Network IP Topology
Single Node with ITP Endpoints
Mitel
®
5000 Installation Manual – Issue 3.0, October 2008 Page B-27
• The following section sets up the connection to the Internet. NAT is enabled between the
Internet and the internal LAN. Traffic from the Internet is filtered using the access-group
called
Internet.
interface Serial0/0
description connected to Internet
ip address 208.13.17.33 255.255.255.252
ip access-group s0in in
ip nat outside
• The following section defines the access control list (the rules) for traffic coming from the
Internet to either the Internal LAN or the DMZ. This is the first line of defense, so filter as
much as possible. Responses to communications initiated from inside (for example, http
request for a Web page) are controlled by the firewall functionality through dynamic ACLs.
ip access-list extended s0in
permit tcp any host 208.132.23.66 eq 5566
permit udp any host 208.132.23.66 eq 5567
permit udp any host 208.132.23.66 range 6004 6247
deny ip any any
• The following section sets up the connection to the DMZ. NAT is not enabled between the
Internet and the DMZ. Traffic from the Internet is filtered using the access-group called
DMZ. The “inspect” statement enables the stateful firewall functionality.
interface Ethernet 1/0
description Site DMZ LAN
ip address 208.132.23.66 255.255.255.192
ip inspect dmzinspector in
ip access-group e1in in
ip inspect name dmzinspector udp
ip inspect name dmzinspector tcp
ip inspect name dmzinspector sip
• The following section defines the access control list (the rules) for traffic coming from the
DMZ to either the Internal LAN or the Internet. Limit the communications between the
DMZ and the internal LAN as much as possible in the event one of the DMZ nodes is
compromised.
ip access-list extended e1in
deny ip any 192.168.100.0 0.0.0.255
permit ip any any
!