«

I just signed up for AT&T's Callvantage service. This seemed to be working
fine at first but I then realized that calls were intermittently being
dropped and some incoming calls were not going through at all. While
performing some test calls I noticed the following messages from the syslog
whenever a call is dropped or an incoming call doesn't go through.

2007-11-03 17:03:44 Local7.Critical 192.168.1.1 :Nov 03 16:03:44 EST:
%PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
on interface outside
2007-11-03 17:03:44 Local7.Critical 192.168.1.1 :Nov 03 16:03:44 EST:
%PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
on interface outside
2007-11-03 17:03:45 Local7.Critical 192.168.1.1 :Nov 03 16:03:45 EST:
%PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
on interface outside
2007-11-03 17:03:47 Local7.Critical 192.168.1.1 :Nov 03 16:03:47 EST:
%PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
on interface outside

There are no access lists configured and all the IDS features are set to
alarm, not block. I did set up an access-list to capture against but
whenever the syslog shows the denied traffic there are no corresponding
hits. Anyone know what could be blocking this traffic?

Thanks,
Mike

To allow inbound traffic for which the session did not originate from
the PIX inside network, you did to explicitly allow it via an inbound
access-list.


Try something like:

fixup protocol sip 5060
fixup protocol sip udp 5060
access-group 101 in interface outside
access-list 101 permit udp host 12.194.224.134 host <PIX outside IP
address> eq 5060
static (inside,outside) 12.194.224.134 <inside SIP destination>
netmask 255.255.255.255 0 0

Thanks for your help. I think I have it working now. Here's what I did.

static (inside,outside) udp interface 5060 <Internal IP> 5060 netmask
255.255.255.255 0 0
access-list 101 permit udp host 12.194.224.134 eq 5060 host <Outside IP> eq
5060
access-group 101 in interface outside

"Merv" <> wrote in message
news: ups.com...
>
> To allow inbound traffic for which the session did not originate from
> the PIX inside network, you did to explicitly allow it via an inbound
> access-list.
>
>
> Try something like:
>
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> access-group 101 in interface outside
> access-list 101 permit udp host 12.194.224.134 host <PIX outside IP
> address> eq 5060
> static (inside,outside) 12.194.224.134 <inside SIP destination>
> netmask 255.255.255.255 0 0
>
>
>
>