Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2681
  • Last Modified:

Cisco access-list for SIP traffic

Hi,

I want to add a Cisco access-list that only allow SIP traffic (5060) to a specific server.

Does this access-list do the job?

access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060
0
emieldmz
Asked:
emieldmz
1 Solution
 
PredragNetwork EngineerCommented:
From Wiki
Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).
access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060

I see possible problem in ACL that you are permitting private address space to access public IP, it is OK IF there is no NAT between those two addresses. Of course, is this a problem, depends on place where you will apply your ACL.
Since there is implicit deny at the end of every ACL that makes even last two lines unnecessary. (The last line have no sense, since you denied the same traffic in previous line. So, that line will never be checked for that type of traffic if previous if true, but it will always be performed if previous fail, and that type of traffic will never appear, so this is just waste of CPU cycles).

access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060
access-list 104 permit udp 5061 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5061

Then you need to apply ACL to interface in right direction.
If you want to enable just that traffic, you don't need to add anything.
Implicit deny will block all other traffic.
0
 
Dimitris IoakimoglouCommented:
Some rules first of all:
1) Cisco ACLs are being implemented by the router from top to bottom. If a packet matches one of the ACL lines, this packet will be processed accordingly and won't be compared to the lines below. Therefore your very last line would be useless since all udp packets except the ones in your first line would be denied before getting to your last statement. Also, if you switched the second and third line, then you'd be simply letting all udp traffic flow through so why bother writing your first line at all. So let's lose line three.

2) All access lists (as Predrag pointed out) have an implicit "deny ip any any" statement at the end. Which means your second line has no real meaning. So let's lose line two.

About 5061, it will only be used if you're using TLS, however I'm guessing you already know the port you need to open since you're asking for 5060 specifically.

Now, the access-list command itself has should be
access-list 104 permit udp 10.10.12.0 0.0.0.255 host 178.217.82.83 eq 5060
and not
access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060

The 5060 statement right after the protocol type does not make sense (to me at least). Also, ACLs need you to write down the subnet masks in reverse. Meaning 255.255.255.0 becomes 0.0.0.255 etc. 255.255.255.255 becomes 0.0.0.0. Also, when referring to a single IP, you can use the word host the way I did.

A last thing I should note. 5060 only opens up the signaling channel for SIP. Usually, you'll also need a range of udp ports for the actual voice traffic.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now