We are having a SIP problem as described below:
It looks like the problem is that the ports are not getting translated when the SIP invites come in on port 5061 on the PIX 525. It appears that the firewall is not doing SIP inspection on 5061 as it is on 5060 so when the RTP is sent, as setup in the SIP contact information, the firewall is discarding the packets because the port is not open. We need to determine how to add the functionality to the SIP inspection policy so that it will also inspect 5061. Currently we are not using it for secure SIP if that question gets asked. We could change the port to be 5062 and we might in the future just so that we will have 5061 available for secure SIP.
Is there anything we can do to fix this issue?
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
access-list test permit tcp any any eq 5061
match access-list test
Give it a try and let me know!
Do rate helpful posts
The issue above with the inspect is that it is looking for 5060.
According to SIP-TLS for it uses 5061. When looking at the inspect defined ports it only has the option for SIP which is 5060. The question is how to define and/or setup the SIP-TLS which uses 5061?
The fixup looks for 5060, the standard port for unencrypted sip signaling. Why would you use 5061 for unencrypted sip signalling? 5061 is the 'standard' port for secure sip, sip-tls. And as sip-tls is encrypted, the firewall has no means of fixing up the dynamic ports as it cannot look into the encrypted packets. (maybe tls-proxy can do something here)
If you're not going to use 5061 for secure sip, I would configure the sip trunk to use tcp/5060 so the fixup can do it's work.
@cisco: it would be nice to have a configurable port for this fixup!
Sent from Cisco Technical Support iPad App