I have a SIP proxy server behind a Cisco PIX box, and need external UAs to be able to place calls through it. Since the SIP proxy handles the required address translations, I do not need the PIX to do any fixup. I have therefore disabled the fixup in the configuration file.
However, the PIX is still insisting on replacing the IP address in the URI part of the digest authentication header. Since the URI forms part of the data over which the MD5 digest is calculated, this in turn invalidates the authentication response and authentication fails.
If I connect the proxy directly to the internet (i.e. bypass the PIX), then the authentication works fine.
Is there any way to stop the PIX interferring here? It appears that there is no way to disable the SIP fixup for UDP-encapsulated SIP - I found this on the Cisco site...
'Application inspection of UDP for SIP is always enabled?it is currently not configurable.'
If this is the case, how can digest authentication for SIP ever work through a PIX?