Cisco ACL to allow VOIP traffic

I've been struggling to get a CME/CUE setup to work thinking that I had some issues with the configuration or one or the other. The problem being that the CUE wouldn't record audio from an external caller trying to leave voicemail.For a test I removed the ACL on my Dialer0 interface (ADSL connection) and hurrah I could record audio.

This puzzled me given that the ACL allows all IP traffic from my SIP provider to my WAN router.

The Dialer0 interface setup is:
interface Dialer0
 ip address negotiated
 ip access-group inbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxx
 ppp chap password 0 xxxx

Open in new window

My CUE service module is setup as:
interface Service-Engine0/1
 ip unnumbered FastEthernet0/0
 ip nat inside
 ip virtual-reassembly
 service-module ip address
 service-module ip default-gateway
 hold-queue 60 out

Open in new window

And the inbound ACL is
ip access-list extended inbound
 permit ip host x.x.x.x0 host y.y.y.y
 permit ip host x.x.x.x1 host y.y.y.y
 deny   ip any
 deny   ip any
 deny   ip any
 deny   ip host any
 deny   ip any
 deny   ip any
 deny   ip any
 deny   ip y.y.y.y any (My ADSL provider network)
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp any host y.y.y.y eq ftp
 permit tcp any host y.y.y.y established
 permit udp any eq domain host y.y.y.y gt 1023
 permit tcp any host y.y.y.y eq 3389
 permit udp any host y.y.y.y eq 21
 permit tcp any host y.y.y.y eq 22

Open in new window

IP address x.x.x.x is my SIP provider
IP address y.y.y.y is my ADSL IP address

The ACL looks OK to me but obviously there is something amiss.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try adding the following lines, and then you can inspect the logs to see what's being blocked.  (The range commands are to make sure that the device logs the source and destination port numbers.)  There is an implicit deny at the end of your access list, but it silently drops the traffic.:

deny icmp any any log
deny udp any range 1 65535 any range 1 65535 log
deny tcp any range 1 65535 any range 1 65535 log
deny ip any any log
ElvorfinAuthor Commented:
OK i tried adding those lines to the bottom of the ACL and they aren't picking anything at all up. if i do a sh ip access-list there are no hits at all on those line when i try to leave a message.
Try removing the access list and re-adding it.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Also, you can try adding these lines in front of the existing permit statements for your SIP provider:

permit icmp host x.x.x.x host y.y.y.y log
permit udp host x.x.x.x range 1 65535 host y.y.y.y range 1 65535 log
permit tcp host x.x.x.x range 1 65535 host y.y.y.y range 1 65535 log

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ElvorfinAuthor Commented:
I've requested that this question be deleted for the following reason:

Solved the problem myself.
Can you please provide what you did to solve the problem, and then select your comment as the solution?
ElvorfinAuthor Commented:
Sorry asavener. The ACL i used which appears to work is shown below. As there was no real direct solution posted here I wasn't sure what to do with the question. Perhaps closing it wasn't the right one!

ip access-list extended voice2
 permit tcp host <SIP IP one> host <my ip address>
 permit tcp host <SIP IP two> host <my ip address>
 permit udp host <SIP IP one> host <my ip address>
 permit udp host <SIP IP two> host <my ip address>
 deny   tcp any any eq 5060
 deny   udp any any eq 5060
 permit tcp any host <my ip address> eq ftp
 permit tcp any host <my ip address>6 established
 permit udp any eq domain host <my ip address> gt 1023
 permit tcp any host <my ip address> eq 3389
 permit tcp any host <my ip address> eq 22
 permit udp any host <my ip address> eq 21
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit udp any any range 16384 32767
 deny   ip any any
So you added  "permit udp any any range 16384 32767" to the end of your access list.

Weird that "deny udp any range 1 65535 any range 1 65535 log didn't generate any hits, but sometimes you have to remove and re-add the access-group command to the interface before the router will notice the changed access list.

Glad you solved it.
ElvorfinAuthor Commented:
Yup, but i took out all the private network anti-spoofing stuff as well. Could have been either of those to be honest. I'm just glad that I've got it working as it had been bugging me for ages!
ElvorfinAuthor Commented:
I'm going to give you the points as at least you pointed me in the general direction. Thanks.
It's unlikely to have been the anti-spoofing stuff.

Looks like you might want to consider configuring CBAC, which will dynamically open ports for returning traffic.  It inspects things like SIP and FTP and should allow appropriate return traffic.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.