04-21-2008 09:39 PM - edited 03-11-2019 05:34 AM
Hi Sir,
I have a PIX-525 running version 6.2(2). Recently end-user reported their SIP calls across this PIX fail to work.
I get the users test their applications while I turned on "debug sip". I couldn't see any SIP-related messages except the following:
2008-04-22 12:42:05 Local4.Info 10.254.1.20 Apr 22 2008 12:42:03: %PIX-6-106015: Deny TCP (no connection) from 10.254.2.106/50543 to 10.142.65.101/5060 flags PSH ACK on interface outside
The following fixup commands are already in place by default:
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol sip 5060
I have checked the conduit, static, route, and timeout statements. All seem okay.
Below is Release Notes of PIX 6.2(2):
http://www.cisco.com/en/US/docs/security/pix/pix62/release/notes/pixrn622.html#wp88636
I notice SIP-related bugs in the Open and Resolved Caveats. I'm not sure if I'm hitting any of those bugs because I'm not getting any SIP messages from "debug sip".
Please advise.
Thank you.
B.Rgds,
Lim TS
04-22-2008 01:50 AM
Hi Toh
I assume the error you encounter usually happens in two conditions.
1) Most probably your NAT statement for traffic 10.254.2.0 to 10.142.65.0 does not exist.
2) Source and destination are on different interfaces which has the same security level and "same-security-traffic permit inter-interface" is not enabled
Regards
04-22-2008 02:07 AM
hi,
but version 6.2(2) do not support same-security-traffic permit inter-interface.
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide