Cisco – ACL Rule to Open UDP Ports


I have the current rules in an attempt to open port 5060 and 10000-20000 for my VoIP provider. We are on a Cisco 1921 router. This ACL is applied to the WAN port on the router facing the ISP. Nmap port scan shows these ports as closed.

  1. Can anyone help verify my ACL and correct my rule if necessary?
  2. Do I need an outbound ACL to open up the port as well since this is for a hosted VoIP PBX?
  3. Is Nmap not detecting the open port because I am not the specific host for the ACL? I tried some other ports that are not specific to a public IP and Nmap also shows as closed.
  4. Do my L3 switches behind the router also need an ACL to open ports if they are between the PC and the router?

Router Config

interface GigabitEthernet0/0
 description WAN
 ip address x.x.x.x
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
interface GigabitEthernet0/1
 description LAN
 ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
access-list 101 permit udp host x.x.x.x any eq 5060
access-list 101 permit udp host x.x.x.x any range 10000 20000

Nmap Port Scan

Starting Nmap 6.47 ( ) at 2015-03-04 16:24 PST
Nmap scan report for
Host is up (0.022s latency).
5060/udp closed sip

Starting Nmap 6.47 ( ) at 2015-03-04 16:24 PST
Nmap scan report for 
Host is up (0.023s latency).
10000/udp closed ndmp

Starting Nmap 6.47 ( ) at 2015-03-04 16:24 PST
Nmap scan report for (
Host is up (0.026s latency).
20000/udp closed unknown

Best Answer

Because you are NATing from G0/0 to G0/1 you cannot use an access-list to allow traffic. NAT acts as a firewall so you need to use a Port-Address Translation rule. For the single port, that would look like this:

ip nat inside source static udp x.x.x.x 5060 interface g0/0 5060

The port range is a bit more tricky, as IOS doesn't usually deal with port ranges. However, it does have functionality built in for voice udp traffic ranges - however this is limited to port ranges which are multiples of 64. To catch your required ports:

ip nat portmap VOICE
 appl udp-rtp startport 9984 size 10240

This defines a port range of 10240 ports starting at 9984. Finally you need to apply this port map to NAT:

ip nat inside source list # interface g0/0 overload portmap VOICE

Where list # is the access list which encompasses the internal addresses you are translating to. An NMAP scan should confirm that the ports are open.

Hope this helps!