I have a combination of a UC520 with in front a SR520.
The problem i can't resolve has to do with the ZPF configuration.
With the default configuration (generated by CCA 2.0), i can't call from external phones.
The SR520 drops the SIP packets. To be more specific: the debugging info tells me =>
FW-6-DROP_PKT: Dropping udp session 22.214.171.124:5060 192.168.75.2:50137 on zone-pair sdm-zp-out-in class class-default due to DROP action found in policy-map with ip ident 0
126.96.36.199 is the ip address of the external ISP proxy server, 192.168.75.2 is the ip address of the UC520
the configuration of ZPF is:
class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-nat-h323-1 match access-group 103 match protocol h323 class-map type inspect match-all SDM-inspect-staticnat-in match access-group name staticnat class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all dhcp_out_self match access-group name dhcp-resp-permit class-map type inspect match-all dhcp_self_out match access-group name dhcp-req-permit class-map type inspect match-all sdm-nat-sip-2 match access-group 102 match protocol sip class-map type inspect match-all sdm-protocol-http match protocol http class-map type inspect match-all sdm-nat-sip-1 match access-group 101 match protocol sip ! ! policy-map type inspect sdm-permit-icmpreply class type inspect dhcp_self_out pass class type inspect sdm-cls-icmp-access inspect class class-default pass policy-map type inspect sdm-inspect class type inspect sdm-cls-insp-traffic inspect class type inspect SDM-Voice-permit pass class type inspect sdm-invalid-src drop log class type inspect sdm-protocol-http inspect z1-z2-pmap class class-default pass policy-map type inspect sdm-inspect-voip-in class type inspect SDM-inspect-staticnat-in pass class type inspect SDM-Voice-permit pass class type inspect sdm-nat-sip-1 pass class type inspect sdm-nat-sip-2 pass class type inspect sdm-nat-h323-1 pass class class-default drop policy-map type inspect sdm-permit class type inspect dhcp_out_self pass class class-default drop ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-in source out-zone destination in-zone service-policy type inspect sdm-inspect-voip-in zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect !
When i look to show policy-map type inspect zone-pair sdm-zp-out-in it looks like the firewall doesn't recognize the traffic as being SIP:
policy exists on zp sdm-zp-out-in Zone-pair: sdm-zp-out-in
I am having the same issue with the "connections section" within the SIP packet. My private address on the FA 0/0 port on the UC520, 10.201.14.34, is being sent inside to my SIP carrier. They are stripping Layer 3 header info when forwarding the request for audio. The RTP servers are seeing only the private address inside the packet, which when forwarded back to me, it is being dropped. I think that the (conf-serv-sip)#bind all source-interface interface, command will work, but I am stuck on how to bind my public address to an interface without bringing the registration with the SIP registrar server down.
TAC wasn't able to give me an answer so I have been trying multiple configs to bring the audio up. Another possibility that I wanted to explore was using the piggyback command under NAT on the SR520. I cannot get this to come up either though. I would greatly appreciate any help as well.
Configure Multicast Paging on the Cisco IP Phone 7800 Series or 8800 Series Multiplatform Phone
The Cisco IP Phone 7800 and 8800 Series Multiplatform Phones provide voice communication over an Internet Protocol (IP) network...
Add Call Park on a Cisco 7800 or 8800 Series Multiplatform Phone Key Expansion Module
Call park allows the user of the phone to put an incoming call on hold so that the call can be retrieved on another phone. A call is park...