Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SIP Inspection


I have a question regarding SIP inspection in a PIX 515 running version 8.0(3).

The problem is that there are two different VoIP solutions inside the network, one that require SIP inspection and one that won't work if it is enabled. Since they reside in different networks I think there might be a solution.

I have tried to solve this issue using following configuration but it doesn't work. All traffic is selected for SIP inspection regardless ACL entries. Any ideas?

Network on interface “inny” should not be submitted to SIP inspection.

access-list inspect_sip3 extended deny ip any

access-list inspect_sip3 extended deny ip any

access-list inspect_sip3 extended permit tcp any any eq sip

access-list inspect_sip3 extended permit udp any any eq sip

class-map SIP

match access-list inspect_sip3

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ils

inspect netbios

inspect pptp

inspect rsh

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

policy-map sip

class SIP

inspect sip

service-policy global_policy global

service-policy sip interface outside

service-policy sip interface inny

Best regards,


  • Firewalling

Re: SIP Inspection

SIP inspection NATs the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen.

SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload that identifies the call, as well as the source and destination. Contained within this database are the media addresses and media ports that were contained in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. RTP/RTCP connections are opened between the two endpoints using these media addresses/ports.

The well-known port 5060 must be used on the initial call setup (INVITE) message. However, subsequent messages might not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be NATed.

As a call is set up, the SIP session is considered in the transient state. This state remains until a Response message is received which indicates the RTP media address and port on which the destination endpoint listens. If there is a failure to receive the response messages within one minute, the signaling connection is torn down.

Once the final handshake is made, the call state is moved to active and the signaling connection remains until a BYE message is received.

If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface will not traverse the security appliance, unless the security appliance configuration specifically allows it.

Re: SIP Inspection

Hi Anders,

Your config looks okay to me. What does the output of the following commands show?

ASA# show service-policy inspect sip

ASA# show service-policy interface inny inspect sip

ASA# packet-trace input inny udp sip sip detail


This widget could not be displayed.