Hi GUYS,
Please help me..
I have experiencing problems with SIP phones behind firewall running on CIsco 887 VA-M.
I got these messages :
5 02:43:37.439: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Mandatory header field missing) - dropping udp session 192.168.33.120:5061 203.111.37.20:5060 on zone-pair in-out-zone class cmap-in-out-base
Jul 5 02:43:40.035: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Mandatory header field missing) - dropping udp session 192.168.33.117:5060 203.111.37.20:5060 on zone-pair in-out-zone class cmap-in-out-base
I have downgraded software to 151-4.M6 and greated the policy to skip those checkings but no any improvements
My config is
!
boot-start-marker
boot system flash:c880data-universalk9-mz.151-4.M6.bin
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.33.1 192.168.33.99
ip dhcp excluded-address 192.168.33.150 192.168.33.254
!
ip dhcp pool 1
network 192.168.33.0 255.255.255.0
default-router 192.168.33.1
dns-server 8.8.8.8
!
ip dhcp pool `
!
!
ip cef
ip domain name ues
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO887VA-M-K9 sn FGL171725DT
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all cmap-manage
match access-group 23
class-map type inspect match-any cmap-in-out-ALL_allowed
match access-group 150
class-map type inspect match-any cmap-in-out-base
match protocol https
match protocol http
match protocol dns
match protocol ftp
match protocol pop3
match protocol citrix
match protocol citriximaclient
match protocol icmp
match protocol smtp
match protocol pptp
match protocol gopher
match protocol sip
match protocol h323
match protocol sip-tls
!
!
policy-map type inspect allow_all
class type inspect cmap-in-out-ALL_allowed
pass
class class-default
drop
policy-map type inspect pmap-out-in-manage
class type inspect cmap-manage
pass
class class-default
drop
policy-map type inspect pmap-in-out
class type inspect cmap-in-out-base
inspect
class type inspect cmap-in-out-ALL_allowed
pass
class class-default
drop
!
zone security in
zone security out
zone-pair security in-out-zone source in destination out
service-policy type inspect pmap-in-out
zone-pair security out-self-zone source out destination self
service-policy type inspect pmap-out-in-manage
zone-pair security out-in-zone source out destination in
service-policy type inspect allow_all
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
no ip address
!
interface FastEthernet1
switchport access vlan 100
no ip address
!
interface FastEthernet2
switchport access vlan 100
no ip address
!
interface FastEthernet3
switchport access vlan 100
no ip address
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0 673569
ppp pap sent-username
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list FOR_NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended FOR_NAT
permit ip 192.168.33.0 0.0.0.255 any
ip access-list extended KILL-TFTP
deny udp any eq tftp any
permit ip any any
access-list 150 permit ip any any
access-list 150 remark TEMP
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
end
Thanks a lot!
