Cisco ACL to allow VOIP traffic

I've been struggling to get a CME/CUE setup to work thinking that I had some issues with the configuration or one or the other. The problem being that the CUE wouldn't record audio from an external caller trying to leave voicemail.For a test I removed the ACL on my Dialer0 interface (ADSL connection) and hurrah I could record audio.

This puzzled me given that the ACL allows all IP traffic from my SIP provider to my WAN router.

The Dialer0 interface setup is:
interface Dialer0
 ip address negotiated
 ip access-group inbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxx
 ppp chap password 0 xxxx

Open in new window


My CUE service module is setup as:
interface Service-Engine0/1
 ip unnumbered FastEthernet0/0
 ip nat inside
 ip virtual-reassembly
 service-module ip address 192.168.1.199 255.255.255.0
 service-module ip default-gateway 192.168.1.200
 hold-queue 60 out

Open in new window


And the inbound ACL is
ip access-list extended inbound
 permit ip host x.x.x.x0 host y.y.y.y
 permit ip host x.x.x.x1 host y.y.y.y
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip y.y.y.y 0.0.0.4 any (My ADSL provider network)
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp any host y.y.y.y eq ftp
 permit tcp any host y.y.y.y established
 permit udp any eq domain host y.y.y.y gt 1023
 permit tcp any host y.y.y.y eq 3389
 permit udp any host y.y.y.y eq 21
 permit tcp any host y.y.y.y eq 22
 

Open in new window


IP address x.x.x.x is my SIP provider
IP address y.y.y.y is my ADSL IP address

The ACL looks OK to me but obviously there is something amiss.
LVL 3
ElvorfinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Try adding the following lines, and then you can inspect the logs to see what's being blocked.  (The range commands are to make sure that the device logs the source and destination port numbers.)  There is an implicit deny at the end of your access list, but it silently drops the traffic.:

deny icmp any any log
deny udp any range 1 65535 any range 1 65535 log
deny tcp any range 1 65535 any range 1 65535 log
deny ip any any log
0
ElvorfinAuthor Commented:
OK i tried adding those lines to the bottom of the ACL and they aren't picking anything at all up. if i do a sh ip access-list there are no hits at all on those line when i try to leave a message.
0
asavenerCommented:
Try removing the access list and re-adding it.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

asavenerCommented:
Also, you can try adding these lines in front of the existing permit statements for your SIP provider:

permit icmp host x.x.x.x host y.y.y.y log
permit udp host x.x.x.x range 1 65535 host y.y.y.y range 1 65535 log
permit tcp host x.x.x.x range 1 65535 host y.y.y.y range 1 65535 log
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ElvorfinAuthor Commented:
I've requested that this question be deleted for the following reason:

Solved the problem myself.
0
asavenerCommented:
Can you please provide what you did to solve the problem, and then select your comment as the solution?
0
ElvorfinAuthor Commented:
Sorry asavener. The ACL i used which appears to work is shown below. As there was no real direct solution posted here I wasn't sure what to do with the question. Perhaps closing it wasn't the right one!

ip access-list extended voice2
 permit tcp host <SIP IP one> host <my ip address>
 permit tcp host <SIP IP two> host <my ip address>
 permit udp host <SIP IP one> host <my ip address>
 permit udp host <SIP IP two> host <my ip address>
 deny   tcp any any eq 5060
 deny   udp any any eq 5060
 permit tcp any host <my ip address> eq ftp
 permit tcp any host <my ip address>6 established
 permit udp any eq domain host <my ip address> gt 1023
 permit tcp any host <my ip address> eq 3389
 permit tcp any host <my ip address> eq 22
 permit udp any host <my ip address> eq 21
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit udp any any range 16384 32767
 deny   ip any any
0
asavenerCommented:
So you added  "permit udp any any range 16384 32767" to the end of your access list.

Weird that "deny udp any range 1 65535 any range 1 65535 log didn't generate any hits, but sometimes you have to remove and re-add the access-group command to the interface before the router will notice the changed access list.

Glad you solved it.
0
ElvorfinAuthor Commented:
Yup, but i took out all the private network anti-spoofing stuff as well. Could have been either of those to be honest. I'm just glad that I've got it working as it had been bugging me for ages!
0
ElvorfinAuthor Commented:
I'm going to give you the points as at least you pointed me in the general direction. Thanks.
0
asavenerCommented:
It's unlikely to have been the anti-spoofing stuff.

Looks like you might want to consider configuring CBAC, which will dynamically open ports for returning traffic.  It inspects things like SIP and FTP and should allow appropriate return traffic.

http://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book/sec_cfg_content_ac.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.