https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841356#M459204 <P>We are having a SIP problem as described below:</P><P></P><P>It looks like the problem is that the ports are not getting translated when the SIP invites come in on port 5061 on the PIX 525.&nbsp; It appears that the firewall is not doing SIP inspection on 5061 as it is on 5060 so when the RTP is sent, as setup in the SIP contact information, the firewall is discarding the packets because the port is not open.&nbsp; We need to determine how to add the functionality to the SIP inspection policy so that it will also inspect 5061.&nbsp; Currently we are not using it for secure SIP if that question gets asked.&nbsp; We could change the port to be 5062 and we might in the future just so that we will have 5061 available for secure SIP. </P><P></P><P>Is there anything we can do to fix this issue?</P><P></P><P>Thanks</P><P>Greg</P><P></P><P></P><P>Version info:</P><P></P><P>Cisco PIX Security Appliance Software Version 8.0(4) </P><P>Device Manager Version 6.1(5)51</P><P></P><P>Hardware:&nbsp;&nbsp; PIX-525, 256 MB RAM, CPU Pentium III 600 MHz</P><P>Flash E28F128J3 @ 0xfff00000, 16MB</P><P>BIOS Flash AM29F400B @ 0xfffd8000, 32KB</P> Mon, 11 Mar 2019 22:31:26 GMT gregwoodson 2019-03-11T22:31:26Z https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841356#M459204 <P>We are having a SIP problem as described below:</P><P></P><P>It looks like the problem is that the ports are not getting translated when the SIP invites come in on port 5061 on the PIX 525.&nbsp; It appears that the firewall is not doing SIP inspection on 5061 as it is on 5060 so when the RTP is sent, as setup in the SIP contact information, the firewall is discarding the packets because the port is not open.&nbsp; We need to determine how to add the functionality to the SIP inspection policy so that it will also inspect 5061.&nbsp; Currently we are not using it for secure SIP if that question gets asked.&nbsp; We could change the port to be 5062 and we might in the future just so that we will have 5061 available for secure SIP. </P><P></P><P>Is there anything we can do to fix this issue?</P><P></P><P>Thanks</P><P>Greg</P><P></P><P></P><P>Version info:</P><P></P><P>Cisco PIX Security Appliance Software Version 8.0(4) </P><P>Device Manager Version 6.1(5)51</P><P></P><P>Hardware:&nbsp;&nbsp; PIX-525, 256 MB RAM, CPU Pentium III 600 MHz</P><P>Flash E28F128J3 @ 0xfff00000, 16MB</P><P>BIOS Flash AM29F400B @ 0xfffd8000, 32KB</P> Mon, 11 Mar 2019 22:31:26 GMT https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841356#M459204 gregwoodson 2019-03-11T22:31:26Z https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841357#M459206 <HTML><HEAD></HEAD><BODY><P>Hello Greg,</P><P></P><P>access-list test permit tcp any any eq 5061</P><P></P><P>class-map Sip_Inspect</P><P>match access-list test</P><P></P><P>policy-map global_policy</P><P>class Sip_Inspect</P><P>inspect sip</P><P></P><P>Give it a try and let me know!</P><P></P><P>Regards,</P><P></P><P>Julio</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Fri, 17 Feb 2012 18:38:18 GMT https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841357#M459206 Julio Carvajal 2012-02-17T18:38:18Z https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841358#M459208 <HTML><HEAD></HEAD><BODY><P>The issue above with the inspect is that it is looking for 5060.</P><P>According to SIP-TLS for it uses 5061.&nbsp; When looking at the inspect defined ports it only has the option for SIP which is 5060.&nbsp; The question is how to define and/or setup the SIP-TLS which uses 5061?</P></BODY></HTML> Thu, 15 Mar 2012 17:32:57 GMT https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841358#M459208 Rick Morris 2012-03-15T17:32:57Z https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841359#M459210 <HTML><HEAD></HEAD><BODY><P>The fixup looks for 5060, the standard port for unencrypted sip signaling. Why would you use 5061 for unencrypted sip signalling? 5061 is the 'standard' port for secure sip, sip-tls. And as sip-tls is encrypted, the firewall has no means of fixing up the dynamic ports as it cannot look into the encrypted packets. (maybe tls-proxy can do something here)</P><P></P><P>If you're not going to use 5061 for secure sip, I would configure the sip trunk to use tcp/5060 so the fixup can do it's work. </P><P></P><P>@cisco: it would be nice to have a configurable port for this fixup!</P><P></P><P>Regards,</P><P>Erik</P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 18 Mar 2012 15:39:22 GMT https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/1841359#M459210 etamminga 2012-03-18T15:39:22Z https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/4100240#M1070908 <P>These are not PIX commands</P> Tue, 09 Jun 2020 17:18:02 GMT https://community.cisco.com/t5/network-security/problems-with-sip-fixup-port-5061/m-p/4100240#M1070908 penn 2020-06-09T17:18:02Z