hi,

i need to lock down SIP ports on an ASA FW towards our internal SIP/voice GW:

external SIP 208.x.x   <>  ASA FW  <> 66.x.x.x internal voice GW

per my google, SIP is TCP/UDP port 5060 but i can see some had 5061.

there's also the dynamic/ephemeral port range 30,000 - 50,000+ and RTP range 16,000 - 32,000+

but on my FW show conn, i can see UDP port 5060 only and few low dynamic ports, i.e. 18890, 19718, 20250:

i would like to know what ports/range i needed to allow?

asa# sh conn
160 in use, 4408 most used
UDP outside 208.x.x.10:0 inside 66.x.x.7:5060, idle 0:09:21, bytes 0, flags ti
UDP outside 208.x.x.12:36076 inside 66.x.x.7:27938, idle 0:00:00, bytes 1634684, flags m

UDP outside 208.x.x.12:0 inside 66.x.x.6:18891, idle 0:01:32, bytes 0, flags mi
UDP outside 208.x.x.12:0 inside 66.x.x.6:18890, idle 0:01:48, bytes 0, flags mi

UDP outside 208.x.x.x:0 inside 66.x.x.6:5060, idle 0:03:58, bytes 0, flags ti
UDP outside 208.x.x.x:36544 inside 66.x.x.6:19718, idle 0:00:00, bytes 795520, flags -

UDP outside 208.x.x.x:0 inside 66.51.33.6:5060, idle 0:20:06, bytes 0, flags ti
UDP outside 208.x.x.x:34708 inside 66.51.33.6:20250, idle 0:00:00, bytes 3876560, flags m

i plan to configure ACL as below. appreciate if someone can confirm. TIA!

object-group network SIP-EXT
description ### EXTERNAL SIP GW ###
network-object host 208.x.x.10
network-object host 208.x.x.12

object-group network SIP-INT
description ### INTERNAL VOICE GW ###
network-object host 66.x.x.6

network-object host 66.x.x.7

object-group service SIP-PROTOCOLS
service-object udp destination eq 5060
service-object tcp destination eq 5060
service-object udp destination range 32768 61000

access-list SIP-OUTSIDE_ACL extended permit object-group SIP-PROTOCOLS object-group SIP-EXT object-group SIP-INT