PIX 501 Intermittently blocks SIP

Discussion in 'Cisco' started by Mike, Nov 4, 2007.

  1. Mike

    Mike Guest

    I just signed up for AT&T's Callvantage service. This seemed to be working
    fine at first but I then realized that calls were intermittently being
    dropped and some incoming calls were not going through at all. While
    performing some test calls I noticed the following messages from the syslog
    whenever a call is dropped or an incoming call doesn't go through.

    2007-11-03 17:03:44 Local7.Critical 192.168.1.1 :Nov 03 16:03:44 EST:
    %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
    on interface outside
    2007-11-03 17:03:44 Local7.Critical 192.168.1.1 :Nov 03 16:03:44 EST:
    %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
    on interface outside
    2007-11-03 17:03:45 Local7.Critical 192.168.1.1 :Nov 03 16:03:45 EST:
    %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
    on interface outside
    2007-11-03 17:03:47 Local7.Critical 192.168.1.1 :Nov 03 16:03:47 EST:
    %PIX-2-106006: Deny inbound UDP from 12.194.224.134/5060 to xx.xx.xx.xx/1024
    on interface outside

    There are no access lists configured and all the IDS features are set to
    alarm, not block. I did set up an access-list to capture against but
    whenever the syslog shows the denied traffic there are no corresponding
    hits. Anyone know what could be blocking this traffic?

    Thanks,
    Mike
     
    Mike, Nov 4, 2007
    #1
    1. Advertising

  2. Mike

    Merv Guest

    To allow inbound traffic for which the session did not originate from
    the PIX inside network, you did to explicitly allow it via an inbound
    access-list.


    Try something like:

    fixup protocol sip 5060
    fixup protocol sip udp 5060
    access-group 101 in interface outside
    access-list 101 permit udp host 12.194.224.134 host <PIX outside IP
    address> eq 5060
    static (inside,outside) 12.194.224.134 <inside SIP destination>
    netmask 255.255.255.255 0 0
     
    Merv, Nov 4, 2007
    #2
    1. Advertising

  3. Mike

    Mike Guest

    Thanks for your help. I think I have it working now. Here's what I did.

    static (inside,outside) udp interface 5060 <Internal IP> 5060 netmask
    255.255.255.255 0 0
    access-list 101 permit udp host 12.194.224.134 eq 5060 host <Outside IP> eq
    5060
    access-group 101 in interface outside

    "Merv" <> wrote in message
    news:...
    >
    > To allow inbound traffic for which the session did not originate from
    > the PIX inside network, you did to explicitly allow it via an inbound
    > access-list.
    >
    >
    > Try something like:
    >
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > access-group 101 in interface outside
    > access-list 101 permit udp host 12.194.224.134 host <PIX outside IP
    > address> eq 5060
    > static (inside,outside) 12.194.224.134 <inside SIP destination>
    > netmask 255.255.255.255 0 0
    >
    >
    >
    >
     
    Mike, Nov 8, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Wilson

    Linksys WAP 54G Drops Intermittently

    James Wilson, Jan 3, 2005, in forum: Wireless Networking
    Replies:
    16
    Views:
    3,441
    =?Utf-8?B?V2lsbGlhbQ==?=
    Jan 5, 2005
  2. Andre
    Replies:
    7
    Views:
    770
    Andre
    Feb 20, 2005
  3. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    674
    Walter Roberson
    May 20, 2006
  4. Replies:
    1
    Views:
    506
  5. Replies:
    0
    Views:
    802
Loading...

Share This Page