Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP messages are not coming back through the firewall

Status
Not open for further replies.
jkmathew77

jkmathew77

IS-IT--Management
Aug 22, 2002
14
US
I am doing Voice over IP using SIP PINGTEL Xpressa phones. I have a bunch of phone inside the firewall and a bunch of them outside the firewall on the public net.

Call from outside to host inside works fine, call gets set up and torn down correctly. But if call originates from NATed PIX firewall to host outside call fails because it seems that none of the SIP messages can traverse back through the firewall.

I tried changing it to PAT instead of NAT and i still have the same problem, i also tired using the established command and it does not solve our problem either. Any one has any clue why this is happening?
 
Sort by date Sort by votes
What version of the PIX IOS are you using? The newer versions have a fixup protocol to handle SIP. Do a 'write term' and see if there is a fixup line for SIP. If not, you may need a newer image.
-gbiello
 
Upvote 0 Downvote
Sorry I thought I had mentioned that:

The version that I am running is:
PIX Version 6.2(1)

And there is a fixup like for SIP:
fixup protocol sip 5060

I went to CISCO and downloaded the latest version I believe.
 
Upvote 0 Downvote
Not knowing anything about SIP except for the existence of the fixup protocol, I can't be of much more help, other than to suggest syslogging to see exactly what's being dropped.
-gbiello
 
Upvote 0 Downvote
HI.

Does the fixup protocol sip 5060 match the ports that you and remote phones are using?

* I suggest that you open a TAC case.

* There is a "debug sip" command or something similar that can give you some help troubleshooting.
You can issue this command from a telnet session:
debug sip
terminal monitor
(This is to make sure that your telnet session get the messages).

You can stop it using either or both:
no debug sip
term no monitor

* If you manualy set the "reply" ip address at the internal phone, it should be set up to the internal address (same address the computer uses), and NOT to the global address.
This is because the pix "fixup sip" will translate the embedded address also, and if it differs from the header ip address the packet might be dropped.

* You should preffer using NAT over PAT - pix version 6.1 didn't work well with SIP and PAT, version 6.2 is supposed to fix this but I didn't try and I don't know if it is fixed.

* You can try to capture the packets at both sides using some kind of network monitor/sniffer. You should then take a look inside the data payload of the SIP messages for the embedded ip address and port.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
141
iggsterman
iggsterman
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
168
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
529
nnaarrnn
nnaarrnn
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
195
hairlessupportmonkey
hairlessupportmonkey
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
145
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top