Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Problems with SIP Fixup- port 5061

We are having a SIP problem as described below:

It looks like the problem is that the ports are not getting translated when the SIP invites come in on port 5061 on the PIX 525.  It appears that the firewall is not doing SIP inspection on 5061 as it is on 5060 so when the RTP is sent, as setup in the SIP contact information, the firewall is discarding the packets because the port is not open.  We need to determine how to add the functionality to the SIP inspection policy so that it will also inspect 5061.  Currently we are not using it for secure SIP if that question gets asked.  We could change the port to be 5062 and we might in the future just so that we will have 5061 available for secure SIP.

Is there anything we can do to fix this issue?



Version info:

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)51

Hardware:   PIX-525, 256 MB RAM, CPU Pentium III 600 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Everyone's tags (4)

Problems with SIP Fixup- port 5061

Hello Greg,

access-list test permit tcp any any eq 5061

class-map Sip_Inspect

match access-list test

policy-map global_policy

class Sip_Inspect

inspect sip

Give it a try and let me know!



Do rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist

Problems with SIP Fixup- port 5061

The issue above with the inspect is that it is looking for 5060.

According to SIP-TLS for it uses 5061.  When looking at the inspect defined ports it only has the option for SIP which is 5060.  The question is how to define and/or setup the SIP-TLS which uses 5061?


Re: Problems with SIP Fixup- port 5061

The fixup looks for 5060, the standard port for unencrypted sip signaling. Why would you use 5061 for unencrypted sip signalling? 5061 is the 'standard' port for secure sip, sip-tls. And as sip-tls is encrypted, the firewall has no means of fixing up the dynamic ports as it cannot look into the encrypted packets. (maybe tls-proxy can do something here)

If you're not going to use 5061 for secure sip, I would configure the sip trunk to use tcp/5060 so the fixup can do it's work.

@cisco: it would be nice to have a configurable port for this fixup!



Sent from Cisco Technical Support iPad App

CreatePlease to create content