Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2233
Views
25
Helpful
6
Replies

SIP Inspection on ASA for customize SIP port tcp/5062.

Go to solution
ManadarDesai2895
Level 1
Level 1

‎06-21-2022 12:50 AM

Dear Community,

 

I have SIP inspection enabled on my Cisco5516. Now we are migrating different service provider on my SIP server for which we using different SIP ports rather than default one tcp/5060 which is already configured for ISP-1. Now we are migrating ISP-2 on my SIP server which is in DMZ zone behind my ASA & I want to enable SIP inspection for customize port i.e. tcp/5062. How we can achieve that in Cisco ASA?  Currently Global SIP inspection has been enabled for tcp-udp/5060. 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to ManadarDesai2895

‎06-21-2022 03:03 AM - edited ‎06-21-2022 03:03 AM

access-list sip-list extended permit udp any any eq XXXX

access-list sip-list extended permit tcp any any eq 5060<- add this so it also include the default SIP tcp port

View solution in original post

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to ManadarDesai2895

‎06-21-2022 03:39 AM

You can consolidate both ports in single ACL (5060 and 5062) or you can
leave the default one and keep 5062 only in the ACL. Both will work.

***** please remember to rate useful posts

View solution in original post

6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-21-2022 01:31 AM

Hi,

You can modify the default ports

You can configure the SIP Protocol Inspection for non-standard ports with
these configuration lines (replace XXXX with the new port number):

access-list sip-list extended permit udp any any eq XXXX
!
class-map sip-class
match access-list sip-list
!
policy-map global_policy
class sip-class
inspect sip

**** please remember to rate useful posts

Go to solution
ManadarDesai2895
Level 1
Level 1
In response to Mohammed al Baqari

‎06-21-2022 02:23 AM

Thanks MD al Baqari,

 

Just few questions.

1. Does this policy affect current SIP inspection enabled for tcp/5060 ?

2. Find current global policy configured, would adding other class map affect exiting class map?

 

policy-map global_policy
description Customize_SIP_Inspection
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect sip

Go to solution
MHM Cisco World
VIP
VIP
In response to ManadarDesai2895

‎06-21-2022 03:03 AM - edited ‎06-21-2022 03:03 AM

access-list sip-list extended permit udp any any eq XXXX

access-list sip-list extended permit tcp any any eq 5060<- add this so it also include the default SIP tcp port

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to ManadarDesai2895

‎06-21-2022 03:39 AM

You can consolidate both ports in single ACL (5060 and 5062) or you can
leave the default one and keep 5062 only in the ACL. Both will work.

***** please remember to rate useful posts

Go to solution
ManadarDesai2895
Level 1
Level 1

‎06-22-2022 11:49 PM

Dear Community,

 

I have made this changes post that SIP inspection started working for customize ports.

 

class-map sip-class
  match port tcp eq 5062

 

policy-map global_policy
  class sip-class
  inspect sip

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to ManadarDesai2895

‎06-22-2022 11:57 PM

That is good news. Please remember to rate useful posts

**** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card