Regarding SIP ALG
Almost all routers include a feature called SIP ALG, and are delivered with this feature enabled by default.
An Application Layer Gateway, or ALG, could help in solving NAT related problems, but in our experience, most ALG implementations are wrong and break SIP.
Leaving SIP ALG enabled not only breaks SIP functionality, but can also impact the RTP audio stream resulting in one-way audio where you can hear the caller, but they can't hear you, or vice versa.
You should disable SIP ALG and configure either port triggering or one-to-one port mapping on the router as appropriate.
Cisco Router Configuration
Configuring SIP ALG for NAT and Firewall is somewhat counter-intuitive in Cisco devices.
To disable the NAT support for SIP, use the no ip nat service sip command as shown in the example below.
Release 12.4 Summary Steps:
- Enable privileged .xEC mode.
enable - Enter global configuration mode.
config t - Disable NAT support for SIP on TCP protocol
no ip nat service sip tcp port 5060no ip nat service sip tcp port 5070 - Disable NAT support for SIP on UDP protocol
no ip nat service sip udp port 5060no ip nat service sip udp port 5070
These settings will be lost on next reboot if the updated configuration file is not saved to NVRAM.
SIP Transformations
In order for your Cisco PIX device to work with our service, you will typically need to disable SIP transformations. Enter the following lines on any Cisco router or switch that is performing a NAT on outbound traffic this will disable SIP specific transformations done on packets going through the NAT.
no ip nat service SIP udp port 5060no ip nat service SIP udp port 5070
Firmware Version
Cisco PIX’s general release software (release 6.1 and 6.2) has a limitation that does not allow SIP processing to be disabled for UDP. Cisco provides a maintenance release to allow the disabling of SIP processing for UDP. The specific release tested is 6.2.2.125. This load can be obtained from Cisco through their normal support channels.
Configuring Cisco PIX 6.x for VoIP Traffic
In order to configure your device for our service, follow these steps:
- Once the load is upgraded to 6.2.2.125, enter the command:
show configure - You should see the following lines:
fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol sip 5070fixup protocol sip udp 5070 - To disable SIP processing, enter the commands:
no fixup protocol sip 5060no fixup protocol sip udp 5060no fixup protocol sip 5070no fixup protocol sip udp 5070 - In addition, the RPC timer needs to be extended, or voice path is lost after the default 10 minutes. This can be done by going to the enable prompt and configuring terminal and entering:
timeout rpc never-time-out
Then save the config to memory and verify the value by entering:sh timeout rpc
It should display 0:00:0.
Configuring Cisco PIX Firewall Software Version 7.x
In Versions 7.x of the PIX software, fixup has been replaced with inspect. This line can be found in either a global or interface specific policy map. A generic configuration will contain entries like this:
policy-map asa_global_fw_policyclass inspection_defaultinspect dns maximum-length 512inspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sip
In the example above, you would need to enter configuration mode via the command line and execute the following commands:
class-map inspection_defaultpolicy-map asa_global_fw_policyno inspect sip
