Cisco access-list for SIP traffic

Posted on 2015-02-02
Last Modified: 2015-02-18

I want to add a Cisco access-list that only allow SIP traffic (5060) to a specific server.

Does this access-list do the job?

access-list 104 permit udp 5060 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060
Question by:emieldmz
LVL 28

Accepted Solution

Predrag Jovic earned 500 total points
ID: 40583624
From Wiki
Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).
access-list 104 permit udp 5060 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060

I see possible problem in ACL that you are permitting private address space to access public IP, it is OK IF there is no NAT between those two addresses. Of course, is this a problem, depends on place where you will apply your ACL.
Since there is implicit deny at the end of every ACL that makes even last two lines unnecessary. (The last line have no sense, since you denied the same traffic in previous line. So, that line will never be checked for that type of traffic if previous if true, but it will always be performed if previous fail, and that type of traffic will never appear, so this is just waste of CPU cycles).

access-list 104 permit udp 5060 eq 5060
access-list 104 permit udp 5061 eq 5061

Then you need to apply ACL to interface in right direction.
If you want to enable just that traffic, you don't need to add anything.
Implicit deny will block all other traffic.

Expert Comment

by:Dimitris Ioakimoglou
ID: 40584955
Some rules first of all:
1) Cisco ACLs are being implemented by the router from top to bottom. If a packet matches one of the ACL lines, this packet will be processed accordingly and won't be compared to the lines below. Therefore your very last line would be useless since all udp packets except the ones in your first line would be denied before getting to your last statement. Also, if you switched the second and third line, then you'd be simply letting all udp traffic flow through so why bother writing your first line at all. So let's lose line three.

2) All access lists (as Predrag pointed out) have an implicit "deny ip any any" statement at the end. Which means your second line has no real meaning. So let's lose line two.

About 5061, it will only be used if you're using TLS, however I'm guessing you already know the port you need to open since you're asking for 5060 specifically.

Now, the access-list command itself has should be
access-list 104 permit udp host eq 5060
and not
access-list 104 permit udp 5060 eq 5060

The 5060 statement right after the protocol type does not make sense (to me at least). Also, ACLs need you to write down the subnet masks in reverse. Meaning becomes etc. becomes Also, when referring to a single IP, you can use the word host the way I did.

A last thing I should note. 5060 only opens up the signaling channel for SIP. Usually, you'll also need a range of udp ports for the actual voice traffic.

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco EIGRP Network 6 27
ISP has issued 5 static IP addresses 4 28
ASA 5505 packet drops 14 46
EIGRP Bandwidth 9 21
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question