Port 5061 Issue on FWSM

Rick Morris · ‎03-15-2012

We are running a FWSM and have created ACL's for a new Lync install. One of the rules needs to have port 5061 access from any source to our front edge server for communication. When looking at the logs I see a hit on the ACL but nothing ever actually connects.

One possible issue I see is possibly in the inspect:

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect sqlnet

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

class class_sip_tcp

inspect sip

In the inspect sip this is only for port 5060. How do I set this up to allow port 5061?

mirober2 · ‎03-24-2012

Hi Rick,

Assuming you want the inspection to process both TCP/5060 and TCP/5061, the config would look like this (otherwise adjust the 'match' command in the class-map accordingly):

class-map class_sip_tcp
   match port tcp range 5060 5061
policy-map global_policy
   class class_sip_tcp
     inspect sip
service-policy global_policy global

Keep in mind, though, that the FWSM's inspection engine cannot process encrypted traffic. So if TCP/5061 is encrypted via TLS you don't want to enable the inspection for this traffic.

-Mike