Elvorfin
asked on
Cisco ACL to allow VOIP traffic
I've been struggling to get a CME/CUE setup to work thinking that I had some issues with the configuration or one or the other. The problem being that the CUE wouldn't record audio from an external caller trying to leave voicemail.For a test I removed the ACL on my Dialer0 interface (ADSL connection) and hurrah I could record audio.
This puzzled me given that the ACL allows all IP traffic from my SIP provider to my WAN router.
The Dialer0 interface setup is:
My CUE service module is setup as:
And the inbound ACL is
IP address x.x.x.x is my SIP provider
IP address y.y.y.y is my ADSL IP address
The ACL looks OK to me but obviously there is something amiss.
This puzzled me given that the ACL allows all IP traffic from my SIP provider to my WAN router.
The Dialer0 interface setup is:
interface Dialer0
ip address negotiated
ip access-group inbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password 0 xxxx
My CUE service module is setup as:
interface Service-Engine0/1
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
service-module ip address 192.168.1.199 255.255.255.0
service-module ip default-gateway 192.168.1.200
hold-queue 60 out
And the inbound ACL is
ip access-list extended inbound
permit ip host x.x.x.x0 host y.y.y.y
permit ip host x.x.x.x1 host y.y.y.y
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip y.y.y.y 0.0.0.4 any (My ADSL provider network)
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any host y.y.y.y eq ftp
permit tcp any host y.y.y.y established
permit udp any eq domain host y.y.y.y gt 1023
permit tcp any host y.y.y.y eq 3389
permit udp any host y.y.y.y eq 21
permit tcp any host y.y.y.y eq 22
IP address x.x.x.x is my SIP provider
IP address y.y.y.y is my ADSL IP address
The ACL looks OK to me but obviously there is something amiss.
ASKER
OK i tried adding those lines to the bottom of the ACL and they aren't picking anything at all up. if i do a sh ip access-list there are no hits at all on those line when i try to leave a message.
Try removing the access list and re-adding it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be deleted for the following reason:
Solved the problem myself.
Solved the problem myself.
Can you please provide what you did to solve the problem, and then select your comment as the solution?
ASKER
Sorry asavener. The ACL i used which appears to work is shown below. As there was no real direct solution posted here I wasn't sure what to do with the question. Perhaps closing it wasn't the right one!
ip access-list extended voice2
permit tcp host <SIP IP one> host <my ip address>
permit tcp host <SIP IP two> host <my ip address>
permit udp host <SIP IP one> host <my ip address>
permit udp host <SIP IP two> host <my ip address>
deny tcp any any eq 5060
deny udp any any eq 5060
permit tcp any host <my ip address> eq ftp
permit tcp any host <my ip address>6 established
permit udp any eq domain host <my ip address> gt 1023
permit tcp any host <my ip address> eq 3389
permit tcp any host <my ip address> eq 22
permit udp any host <my ip address> eq 21
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp any any range 16384 32767
deny ip any any
ip access-list extended voice2
permit tcp host <SIP IP one> host <my ip address>
permit tcp host <SIP IP two> host <my ip address>
permit udp host <SIP IP one> host <my ip address>
permit udp host <SIP IP two> host <my ip address>
deny tcp any any eq 5060
deny udp any any eq 5060
permit tcp any host <my ip address> eq ftp
permit tcp any host <my ip address>6 established
permit udp any eq domain host <my ip address> gt 1023
permit tcp any host <my ip address> eq 3389
permit tcp any host <my ip address> eq 22
permit udp any host <my ip address> eq 21
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp any any range 16384 32767
deny ip any any
So you added "permit udp any any range 16384 32767" to the end of your access list.
Weird that "deny udp any range 1 65535 any range 1 65535 log didn't generate any hits, but sometimes you have to remove and re-add the access-group command to the interface before the router will notice the changed access list.
Glad you solved it.
Weird that "deny udp any range 1 65535 any range 1 65535 log didn't generate any hits, but sometimes you have to remove and re-add the access-group command to the interface before the router will notice the changed access list.
Glad you solved it.
ASKER
Yup, but i took out all the private network anti-spoofing stuff as well. Could have been either of those to be honest. I'm just glad that I've got it working as it had been bugging me for ages!
ASKER
I'm going to give you the points as at least you pointed me in the general direction. Thanks.
It's unlikely to have been the anti-spoofing stuff.
Looks like you might want to consider configuring CBAC, which will dynamically open ports for returning traffic. It inspects things like SIP and FTP and should allow appropriate return traffic.
http://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book/sec_cfg_content_ac.html
Looks like you might want to consider configuring CBAC, which will dynamically open ports for returning traffic. It inspects things like SIP and FTP and should allow appropriate return traffic.
http://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book/sec_cfg_content_ac.html
deny icmp any any log
deny udp any range 1 65535 any range 1 65535 log
deny tcp any range 1 65535 any range 1 65535 log
deny ip any any log