Link to home
Start Free TrialLog in
Avatar of Elvorfin
ElvorfinFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco ACL to allow VOIP traffic

I've been struggling to get a CME/CUE setup to work thinking that I had some issues with the configuration or one or the other. The problem being that the CUE wouldn't record audio from an external caller trying to leave voicemail.For a test I removed the ACL on my Dialer0 interface (ADSL connection) and hurrah I could record audio.

This puzzled me given that the ACL allows all IP traffic from my SIP provider to my WAN router.

The Dialer0 interface setup is:
interface Dialer0
 ip address negotiated
 ip access-group inbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxx
 ppp chap password 0 xxxx

Open in new window


My CUE service module is setup as:
interface Service-Engine0/1
 ip unnumbered FastEthernet0/0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 192.168.1.199 255.255.255.0
 service-module ip default-gateway 192.168.1.200
 hold-queue 60 out

Open in new window


And the inbound ACL is
ip access-list extended inbound
 permit ip host x.x.x.x0 host y.y.y.y
 permit ip host x.x.x.x1 host y.y.y.y
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip y.y.y.y 0.0.0.4 any (My ADSL provider network)
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp any host y.y.y.y eq ftp
 permit tcp any host y.y.y.y established
 permit udp any eq domain host y.y.y.y gt 1023
 permit tcp any host y.y.y.y eq 3389
 permit udp any host y.y.y.y eq 21
 permit tcp any host y.y.y.y eq 22

Open in new window


IP address x.x.x.x is my SIP provider
IP address y.y.y.y is my ADSL IP address

The ACL looks OK to me but obviously there is something amiss.
Avatar of asavener
asavener
Flag of United States of America image
Try adding the following lines, and then you can inspect the logs to see what's being blocked.  (The range commands are to make sure that the device logs the source and destination port numbers.)  There is an implicit deny at the end of your access list, but it silently drops the traffic.:

deny icmp any any log
deny udp any range 1 65535 any range 1 65535 log
deny tcp any range 1 65535 any range 1 65535 log
deny ip any any log
Avatar of Elvorfin
Elvorfin
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

OK i tried adding those lines to the bottom of the ACL and they aren't picking anything at all up. if i do a sh ip access-list there are no hits at all on those line when i try to leave a message.
Avatar of asavener
asavener
Flag of United States of America image
Try removing the access list and re-adding it.
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Elvorfin
Elvorfin
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

I've requested that this question be deleted for the following reason:

Solved the problem myself.
Avatar of asavener
asavener
Flag of United States of America image
Can you please provide what you did to solve the problem, and then select your comment as the solution?
Avatar of Elvorfin
Elvorfin
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Sorry asavener. The ACL i used which appears to work is shown below. As there was no real direct solution posted here I wasn't sure what to do with the question. Perhaps closing it wasn't the right one!

ip access-list extended voice2
 permit tcp host <SIP IP one> host <my ip address>
 permit tcp host <SIP IP two> host <my ip address>
 permit udp host <SIP IP one> host <my ip address>
 permit udp host <SIP IP two> host <my ip address>
 deny   tcp any any eq 5060
 deny   udp any any eq 5060
 permit tcp any host <my ip address> eq ftp
 permit tcp any host <my ip address>6 established
 permit udp any eq domain host <my ip address> gt 1023
 permit tcp any host <my ip address> eq 3389
 permit tcp any host <my ip address> eq 22
 permit udp any host <my ip address> eq 21
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit udp any any range 16384 32767
 deny   ip any any
Avatar of asavener
asavener
Flag of United States of America image
So you added  "permit udp any any range 16384 32767" to the end of your access list.

Weird that "deny udp any range 1 65535 any range 1 65535 log didn't generate any hits, but sometimes you have to remove and re-add the access-group command to the interface before the router will notice the changed access list.

Glad you solved it.
Avatar of Elvorfin
Elvorfin
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Yup, but i took out all the private network anti-spoofing stuff as well. Could have been either of those to be honest. I'm just glad that I've got it working as it had been bugging me for ages!
Avatar of Elvorfin
Elvorfin
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

I'm going to give you the points as at least you pointed me in the general direction. Thanks.
Avatar of asavener
asavener
Flag of United States of America image
It's unlikely to have been the anti-spoofing stuff.

Looks like you might want to consider configuring CBAC, which will dynamically open ports for returning traffic.  It inspects things like SIP and FTP and should allow appropriate return traffic.

http://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book/sec_cfg_content_ac.html