Cisco access-list for SIP traffic


I want to add a Cisco access-list that only allow SIP traffic (5060) to a specific server.

Does this access-list do the job?

access-list 104 permit udp 5060 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060
Who is Participating?
Predrag JovicConnect With a Mentor Network EngineerCommented:
From Wiki
Port 5060 is commonly used for non-encrypted signaling traffic whereas port 5061 is typically used for traffic encrypted with Transport Layer Security (TLS).
access-list 104 permit udp 5060 eq 5060
access-list 104 deny udp any any eq 5060
access-list 104 permit udp any any eq 5060

I see possible problem in ACL that you are permitting private address space to access public IP, it is OK IF there is no NAT between those two addresses. Of course, is this a problem, depends on place where you will apply your ACL.
Since there is implicit deny at the end of every ACL that makes even last two lines unnecessary. (The last line have no sense, since you denied the same traffic in previous line. So, that line will never be checked for that type of traffic if previous if true, but it will always be performed if previous fail, and that type of traffic will never appear, so this is just waste of CPU cycles).

access-list 104 permit udp 5060 eq 5060
access-list 104 permit udp 5061 eq 5061

Then you need to apply ACL to interface in right direction.
If you want to enable just that traffic, you don't need to add anything.
Implicit deny will block all other traffic.
Dimitris IoakimoglouNetwork AdministratorCommented:
Some rules first of all:
1) Cisco ACLs are being implemented by the router from top to bottom. If a packet matches one of the ACL lines, this packet will be processed accordingly and won't be compared to the lines below. Therefore your very last line would be useless since all udp packets except the ones in your first line would be denied before getting to your last statement. Also, if you switched the second and third line, then you'd be simply letting all udp traffic flow through so why bother writing your first line at all. So let's lose line three.

2) All access lists (as Predrag pointed out) have an implicit "deny ip any any" statement at the end. Which means your second line has no real meaning. So let's lose line two.

About 5061, it will only be used if you're using TLS, however I'm guessing you already know the port you need to open since you're asking for 5060 specifically.

Now, the access-list command itself has should be
access-list 104 permit udp host eq 5060
and not
access-list 104 permit udp 5060 eq 5060

The 5060 statement right after the protocol type does not make sense (to me at least). Also, ACLs need you to write down the subnet masks in reverse. Meaning becomes etc. becomes Also, when referring to a single IP, you can use the word host the way I did.

A last thing I should note. 5060 only opens up the signaling channel for SIP. Usually, you'll also need a range of udp ports for the actual voice traffic.
All Courses

From novice to tech pro — start learning today.