Cisco access-list for SIP traffic

Posted on 2015-02-02
Medium Priority
Last Modified: 2015-02-18

I want to add a Cisco access-list that only allow SIP traffic (5060) to a specific server.

Does this access-list do the job?

access-list 104 permit udp 5060 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060
Question by:emieldmz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 31

Accepted Solution

Predrag earned 2000 total points
ID: 40583624
From Wiki
Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).
access-list 104 permit udp 5060 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060

I see possible problem in ACL that you are permitting private address space to access public IP, it is OK IF there is no NAT between those two addresses. Of course, is this a problem, depends on place where you will apply your ACL.
Since there is implicit deny at the end of every ACL that makes even last two lines unnecessary. (The last line have no sense, since you denied the same traffic in previous line. So, that line will never be checked for that type of traffic if previous if true, but it will always be performed if previous fail, and that type of traffic will never appear, so this is just waste of CPU cycles).

access-list 104 permit udp 5060 eq 5060
access-list 104 permit udp 5061 eq 5061

Then you need to apply ACL to interface in right direction.
If you want to enable just that traffic, you don't need to add anything.
Implicit deny will block all other traffic.

Expert Comment

by:Dimitris Ioakimoglou
ID: 40584955
Some rules first of all:
1) Cisco ACLs are being implemented by the router from top to bottom. If a packet matches one of the ACL lines, this packet will be processed accordingly and won't be compared to the lines below. Therefore your very last line would be useless since all udp packets except the ones in your first line would be denied before getting to your last statement. Also, if you switched the second and third line, then you'd be simply letting all udp traffic flow through so why bother writing your first line at all. So let's lose line three.

2) All access lists (as Predrag pointed out) have an implicit "deny ip any any" statement at the end. Which means your second line has no real meaning. So let's lose line two.

About 5061, it will only be used if you're using TLS, however I'm guessing you already know the port you need to open since you're asking for 5060 specifically.

Now, the access-list command itself has should be
access-list 104 permit udp host eq 5060
and not
access-list 104 permit udp 5060 eq 5060

The 5060 statement right after the protocol type does not make sense (to me at least). Also, ACLs need you to write down the subnet masks in reverse. Meaning becomes etc. becomes Also, when referring to a single IP, you can use the word host the way I did.

A last thing I should note. 5060 only opens up the signaling channel for SIP. Usually, you'll also need a range of udp ports for the actual voice traffic.

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question