Solved

Cisco access-list for SIP traffic

Posted on 2015-02-02
2
2,013 Views
Last Modified: 2015-02-18
Hi,

I want to add a Cisco access-list that only allow SIP traffic (5060) to a specific server.

Does this access-list do the job?

access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060
0
Comment
Question by:emieldmz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40583624
From Wiki
Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).
access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060

I see possible problem in ACL that you are permitting private address space to access public IP, it is OK IF there is no NAT between those two addresses. Of course, is this a problem, depends on place where you will apply your ACL.
Since there is implicit deny at the end of every ACL that makes even last two lines unnecessary. (The last line have no sense, since you denied the same traffic in previous line. So, that line will never be checked for that type of traffic if previous if true, but it will always be performed if previous fail, and that type of traffic will never appear, so this is just waste of CPU cycles).

access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060
access-list 104 permit udp 5061 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5061

Then you need to apply ACL to interface in right direction.
If you want to enable just that traffic, you don't need to add anything.
Implicit deny will block all other traffic.
0
 
LVL 3

Expert Comment

by:Dimitris Ioakimoglou
ID: 40584955
Some rules first of all:
1) Cisco ACLs are being implemented by the router from top to bottom. If a packet matches one of the ACL lines, this packet will be processed accordingly and won't be compared to the lines below. Therefore your very last line would be useless since all udp packets except the ones in your first line would be denied before getting to your last statement. Also, if you switched the second and third line, then you'd be simply letting all udp traffic flow through so why bother writing your first line at all. So let's lose line three.

2) All access lists (as Predrag pointed out) have an implicit "deny ip any any" statement at the end. Which means your second line has no real meaning. So let's lose line two.

About 5061, it will only be used if you're using TLS, however I'm guessing you already know the port you need to open since you're asking for 5060 specifically.

Now, the access-list command itself has should be
access-list 104 permit udp 10.10.12.0 0.0.0.255 host 178.217.82.83 eq 5060
and not
access-list 104 permit udp 5060 10.10.12.0 0.0.0.255 178.217.82.83 255.255.255.255 eq 5060

The 5060 statement right after the protocol type does not make sense (to me at least). Also, ACLs need you to write down the subnet masks in reverse. Meaning 255.255.255.0 becomes 0.0.0.255 etc. 255.255.255.255 becomes 0.0.0.0. Also, when referring to a single IP, you can use the word host the way I did.

A last thing I should note. 5060 only opens up the signaling channel for SIP. Usually, you'll also need a range of udp ports for the actual voice traffic.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question