PIX 501 Intermittently blocks SIP

I just signed up for AT&T's Callvantage service. This seemed to be working fine at first but I then realized that calls were intermittently being dropped and some incoming calls were not going through at all. While performing some test calls I noticed the following messages from the syslog whenever a call is dropped or an incoming call doesn't go through.

2007-11-03 17:03:44 Local7.Critical 192.168.1.1 :Nov 03 16:03:44 EST: %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024 on interface outside 2007-11-03 17:03:44 Local7.Critical 192.168.1.1 :Nov 03 16:03:44 EST: %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024 on interface outside 2007-11-03 17:03:45 Local7.Critical 192.168.1.1 :Nov 03 16:03:45 EST: %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024 on interface outside 2007-11-03 17:03:47 Local7.Critical 192.168.1.1 :Nov 03 16:03:47 EST: %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024 on interface outside

There are no access lists configured and all the IDS features are set to alarm, not block. I did set up an access-list to capture against but whenever the syslog shows the denied traffic there are no corresponding hits. Anyone know what could be blocking this traffic?

Thanks, Mike

Reply to
Mike
Loading thread data ...

To allow inbound traffic for which the session did not originate from the PIX inside network, you did to explicitly allow it via an inbound access-list.

Try something like:

fixup protocol sip 5060 fixup protocol sip udp 5060 access-group 101 in interface outside access-list 101 permit udp host 12.194.224.134 host eq 5060 static (inside,outside) 12.194.224.134 netmask 255.255.255.255 0 0

Reply to
Merv

Thanks for your help. I think I have it working now. Here's what I did.

static (inside,outside) udp interface 5060 5060 netmask

255.255.255.255 0 0 access-list 101 permit udp host 12.194.224.134 eq 5060 host eq 5060 access-group 101 in interface outside
Reply to
Mike

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.