After talking to a few hosted VoIP providers, they all state that "ALG" or SIP inspection in the case of the Cisco firewall should be disabled. How is SIP not broken after leaving the firewall over the public Internet when being NAT'd from a private to public address if the SIP payload contains a private address that inspection would normally fixup — using the older inspection terminology there 😉 ? Is STUN or TURN the only way preventing this breakage and can I assume that these providers support that or does that have to be confirmed? Is it not better to have inspection? I know that certain SIP implementations don't add addressing in the application layer, but in the these cases they do.
I have SIP inspection enabled and don't see any issues with it and I gain the benefit of not only being able to do a show SIP but the necessary pinholes are dynamically created instead of opening wide static holes these providers often request, but the providers still insist having ALG creates more problems.
Best Answer
We had problems using "ALG" or SIP inspection using SIP clients. The problem was the ASA was keeping sessions open when the call was terminated.
What was happening was the when we made a second call we had no voice over the call.
note: We haven't had problems with the provider that was providing voip for our SIP trunk's.
But... The moment we disabled the SIP inspection in total on the ASA, all SIP clients where working perfectly and registration to our own sip server was restored much faster if we had a network disconnect of somekind.
Also i did lots of research in this on the web and everywhere you see to disable the SIP inspection. I have tried to find a workaround or tune the inspection but nothing worked as good as just disabling the inspection.
Maybe this is not the best answer but couldnt comment yet(just signed up) and maybe my reaction can help in somekind of way.