Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6436
Views
0
Helpful
4
Replies

Problems with SIP Fixup- port 5061

gregwoodson
Level 1
Level 1

‎02-17-2012 09:21 AM - edited ‎03-11-2019 03:31 PM

We are having a SIP problem as described below:

It looks like the problem is that the ports are not getting translated when the SIP invites come in on port 5061 on the PIX 525.  It appears that the firewall is not doing SIP inspection on 5061 as it is on 5060 so when the RTP is sent, as setup in the SIP contact information, the firewall is discarding the packets because the port is not open.  We need to determine how to add the functionality to the SIP inspection policy so that it will also inspect 5061.  Currently we are not using it for secure SIP if that question gets asked.  We could change the port to be 5062 and we might in the future just so that we will have 5061 available for secure SIP.

Is there anything we can do to fix this issue?

Thanks

Greg

Version info:

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)51

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-17-2012 10:38 AM

Hello Greg,

access-list test permit tcp any any eq 5061

class-map Sip_Inspect

match access-list test

policy-map global_policy

class Sip_Inspect

inspect sip

Give it a try and let me know!

Regards,

Julio

Do rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Rick Morris
Level 6
Level 6
In response to Julio Carvajal

‎03-15-2012 10:32 AM

The issue above with the inspect is that it is looking for 5060.

According to SIP-TLS for it uses 5061.  When looking at the inspect defined ports it only has the option for SIP which is 5060.  The question is how to define and/or setup the SIP-TLS which uses 5061?

0 Helpful

penn
Level 1
Level 1
In response to Julio Carvajal

‎06-09-2020 10:18 AM

These are not PIX commands

0 Helpful

etamminga
Spotlight
Spotlight

‎03-18-2012 08:39 AM

The fixup looks for 5060, the standard port for unencrypted sip signaling. Why would you use 5061 for unencrypted sip signalling? 5061 is the 'standard' port for secure sip, sip-tls. And as sip-tls is encrypted, the firewall has no means of fixing up the dynamic ports as it cannot look into the encrypted packets. (maybe tls-proxy can do something here)

If you're not going to use 5061 for secure sip, I would configure the sip trunk to use tcp/5060 so the fixup can do it's work.

@cisco: it would be nice to have a configurable port for this fixup!

Regards,

Erik

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card