It looks like the problem is that the ports are not getting translated when the SIP invites come in on port 5061 on the PIX 525. It appears that the firewall is not doing SIP inspection on 5061 as it is on 5060 so when the RTP is sent, as setup in the SIP contact information, the firewall is discarding the packets because the port is not open. We need to determine how to add the functionality to the SIP inspection policy so that it will also inspect 5061. Currently we are not using it for secure SIP if that question gets asked. We could change the port to be 5062 and we might in the future just so that we will have 5061 available for secure SIP.
Is there anything we can do to fix this issue?
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
The fixup looks for 5060, the standard port for unencrypted sip signaling. Why would you use 5061 for unencrypted sip signalling? 5061 is the 'standard' port for secure sip, sip-tls. And as sip-tls is encrypted, the firewall has no means of fixing up the dynamic ports as it cannot look into the encrypted packets. (maybe tls-proxy can do something here)
If you're not going to use 5061 for secure sip, I would configure the sip trunk to use tcp/5060 so the fixup can do it's work.
@cisco: it would be nice to have a configurable port for this fixup!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :