Disable SIP ALG -- Cisco Enterprise Print

  • 2


Regarding SIP ALG

Almost all routers include a feature called SIP ALG, and are delivered with this feature enabled by default.

An Application Layer Gateway, or ALG, could help in solving NAT related problems, but in our experience, most ALG implementations are wrong and break SIP.

Leaving SIP ALG enabled not only breaks SIP functionality, but can also impact the RTP audio stream resulting in one-way audio where you can hear the caller, but they can't hear you, or vice versa.

You should disable SIP ALG and configure either port triggering or one-to-one port mapping on the router as appropriate.


Cisco Router Configuration

Configuring SIP ALG for NAT and Firewall is somewhat counter-intuitive in Cisco devices.

To disable the NAT support for SIP, use the no ip nat service sip command as shown in the example below.

Release 12.4 Summary Steps:


  1. Enable privileged .xEC mode.


  2. Enter global configuration mode.

    config t

  3. Disable NAT support for SIP on TCP protocol

    no ip nat service sip tcp port 5060
    no ip nat service sip tcp port 5070

  4. Disable NAT support for SIP on UDP protocol

    no ip nat service sip udp port 5060
    no ip nat service sip udp port 5070

These settings will be lost on next reboot if the updated configuration file is not saved to NVRAM.


SIP Transformations

In order for your Cisco PIX device to work with our service, you will typically need to disable SIP transformations. Enter the following lines on any Cisco router or switch that is performing a NAT on outbound traffic this will disable SIP specific transformations done on packets going through the NAT.

no ip nat service SIP udp port 5060
no ip nat service SIP udp port 5070


Firmware Version

Cisco PIX’s general release software (release 6.1 and 6.2) has a limitation that does not allow SIP processing to be disabled for UDP. Cisco provides a maintenance release to allow the disabling of SIP processing for UDP. The specific release tested is This load can be obtained from Cisco through their normal support channels.


Configuring Cisco PIX 6.x for VoIP Traffic

In order to configure your device for our service, follow these steps:

  1. Once the load is upgraded to, enter the command:

    show configure

  2. You should see the following lines:

    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol sip 5070
    fixup protocol sip udp 5070

  3. To disable SIP processing, enter the commands:

    no fixup protocol sip 5060
    no fixup protocol sip udp 5060
    no fixup protocol sip 5070
    no fixup protocol sip udp 5070

  4. In addition, the RPC timer needs to be extended, or voice path is lost after the default 10 minutes. This can be done by going to the enable prompt and configuring terminal and entering:

    timeout rpc never-time-out

    Then save the config to memory and verify the value by entering:

    sh timeout rpc

    It should display 0:00:0.


Configuring Cisco PIX Firewall Software Version 7.x

In Versions 7.x of the PIX software, fixup has been replaced with inspect. This line can be found in either a global or interface specific policy map. A generic configuration will contain entries like this:

policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip

In the example above, you would need to enter configuration mode via the command line and execute the following commands:

class-map inspection_default
policy-map asa_global_fw_policy
no inspect sip



Was this answer helpful?

« Back


ezyexchange  hosted microsoft exchange
ezytel  enterprise-grade hosted PBX
ezycloudsms  2-way cloud SMS
ezybroadband  NBN, wireless or fibre ethernet
ezy365  microsoft 365 licensing
ezywebhosting  enterprise web hosting
ezyssl  build trust, secure your brand
ezydomains  your name in the cloud
ezyreseller  our services, your clients


ezycloud | powered by Digital Hybrid
PO Box 7208, South Penrith, NSW, 2750


Call   1300 882 942
SMS   0409 19 88 66

COPYRIGHT © 2009 -       Digital Hybrid Pty Ltd | really communicate       ACN 139 660 585   |   ABN 37 139 660 585   |   ALL RIGHTS RESERVED WORLDWIDE