Cisco ASA – Configuring SIP Ports Other Than 5060

Is it correct that the SIP inspection in the ASA 5500 firewalls only kicks in for traffic on port 5060?
The referenced document below states so (this doc is specifically for the newer generation 5500-x series).
And I have trouble to get audio working when my IP PBX is configured to receive inbound calls on another port than 5060. The IP PBX I am using is a SIP proxy with a built-in SBC and it demands that inbound traffic shall be sent to port 5080. Traffic between IP PBX and ITSP goes via an ASA 5505 firewall (that's the older generation).

Inbound Calls do connect, but then I have one-way audio. The RTP does not flow from external to internal. (Outbound calls are no problem, all fine with 2-way audio – but they are sent with destination port 5060).
This would make sense if the ASA won't start the SIP inspection due to the different port 5080.

But is that really the case?
And if that is so, can I configure somewhere which SIP port the ASA should look for? Or is there any workaround? (I can probably open all inbound RTP ports … but I would like to avoid that)

Cisco documentation ASA 5500

Best Answer

Seems that the trick is like that (credit to Alex over at serverfault.com):

First go in your configuration terminal and create the class-map;

asa(config)# class-map SIP_5080
asa(config-cmap)# match port tcp eq 5080
asa(config-cmap)# exit

Then create a policy-map;

asa(config)# policy-map SIP_Policy
asa(config-pmap)# class SIP_5080
asa(config-pmap-c)# inspect sip
asa(config-pmap-c)# exit

Finally, assign the policy-map to an interface; asa(config)# service-policy SIP_Policy interface [name of your interface]

Best Answer

Related Solutions

Configuring Cisco ASA 5505 for Routing

Cisco ASA 5505 stop passing traffic randomly

Related Topic