Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
1
Replies

access-list

jonflorence
Level 1
Level 1

‎09-06-2016 11:05 AM - edited ‎03-08-2019 07:19 AM

I need to permit traffic from a specific external IP on port 5060 and then send it to a specific private IP on my Lan. Need help on the access-list setup. This is for a SIP trunk. I have a cisco 2901 router. 

Labels:
0 Helpful
1 Reply 1

Luke Oxley
Level 1
Level 1

‎09-11-2016 12:42 AM

jonflorence,

Thank you for you post and apologies for the late response - I was scrolling through some dated posts and happened upon yours. Well it sounds like you need to create an access control list for the outside to permit SIP and then a NAT statement to NAT the traffic from port 5060 to the internal host.
If you share a sanitised configuration with me, I can tailor some commands for your router that you can put straight in to get this working. If you are just looking for some guidance however, I'll explain the process below. Refrain form entering these commands if you aren't comfortable with Cisco IOS. You may negate other configuration currently in place and tamper with the functionality of your existing system. Highly advisable to take a configuration back-up.
Is this router publicly facing? I.E - does it have a public IP address on one of its interfaces?
Lets make the assumption that Fa0/0 is your "outside" interface with an IP address of 1.1.1.1 and Fa0/1 is your "inside" interface with an IP address of 192.168.1.254. Lastly, lets assume that 192.168.1.80 is your internal CUBE/SIP Gateway/PBX that you wish the traffic from 5060 to go to.
Step 1) Create an access control list for the outside interface and assign it in an ingress direction to the outside interface. The below rule will permit traffic on 5060 from any IP address to the IP address of your outside interface and implicitly deny everything else.
ip access-list extended Outside_Access_In 
 permit udp any host 1.1.1.1 eq 5060 
 exit
interface Fa0/0 
 ip access-group Outside_Access_In in 
 exit
Step 2) Specify the logical role of the interfaces for NAT by entering the following commands in global configuration mode.
interface fa0/0 
 ip nat outside
interface fa0/1 
 ip nat inside 
 exit
Step 3) Lastly, create the static NAT statement (correctly know as static PAT or Port Address Translation).
ip nat inside source static udp 192.168.1.80 5060 1.1.1.1 5060
In summary, for this example, any connections from the outside trying to hit 1.1.1.1:5060 will be connected to the internal host at 192.168.1.80:5060.
I hope that helps and please, let me know if I can be of any more assistance.

Kind regards,
Luke

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents