I have a scenario wherein SIP sessions need to be established across FWSM. The following is the scenario:-
On the FWSM there is a DMZ on which all voice devices reside which includes cal manager, voice routers and ip phones.The voice routers are on HSRP with 192.168.3.254 as virtual ip address.SIP sesison will be initiaied by the Voice router to a public IP address of the provider say A.A.A.A. i.e. the SRC=B.B.B.B DEST=A.A.A.A (Outgoing). Here B.B.B.B is a public IP address in our range. We will get incoming calls as SRC=A.A.A.A DEST=B.B.B.B.
A.A.A.A = Provider SIP Public Ip address
B.B.B.B = Our SIP Public IP address
Outgoing Call SRC=B.B.B.B ----~ DEST=A.A.A.A
(Session initiated by dmz Voice router)
Incoming Call SRC=A.A.A.A ----~ DEST=B.B.B.B
This means that there is one public IP (B.B.B.B) from our side that is used for all SIP transactions (Incoming and Outgoing).Also one public IP (A.A.A.A) used by the ISP for all SIP transactions. (Incoming and Outgoing).
The following is the configuration that i tried out:-
nat (dmzVOICE) 2 access-list UDP-SIP
global (OUTSIDE) 2 B.B.B.B
access-list FR_OUTSIDE extended permit udp host A.A.A.A host B.B.B.B eq sip
access-list FR_dmzVOICE extended permit ip any any log
access-list UDP-SIP extended permit udp host 192.168.3.254 A.A.A.A eq sip
access-group FR_OUTSIDE in interface OUTSIDE
access-group FR_dmzVOICE in interface dmzVOICE
static (dmzVOICE,OUTSIDE) udp B.B.B.B sip 192.168.3.254 sip netmask 255.255.255.255
The following are the results with this configuration:-
%FWSM-3-106011 Deny inbound (No xlate) tcp src OUTSIDE:A.A.A.A/54073 dst OUTSIDE:B.B.B.B/5060
I have allowed access from provder IP A.A.A.A to our IP B.B.B.B on udp 5060 and applied in on OUTSIDE in inbound direction
Then i have an static for our IP B.B.B.B to 192.168.3.254.
One way speech.
Plese help. Any suggestins or documentations/best practises on SIP through FWSM would be welcome.