We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Dropping UDP on incomming calls.

Glen_Sauve asked
Medium Priority
Last Modified: 2010-04-12
Trouble with VOIP thru Pix506e...Getting the following from Pix.
Deny Udp src outside: dst inside: by access group "svrs_out"
and VOIP giving problems.  Voip supplier requirements and Pix config added....
Where am I going wrong?????

Quote from VOIP Supplier:
The following are the requirements of the firewall protecting the enterprise network where the IP clients are located.
      Dynamic Stateful Packet Filtering (DSPI) should be present.
      Activate "minimally restricted UDP policy". This allows UDP packets into the enterprise, if and only if they are in response to an outgoing UDP packet. Other terms used for this are "UDP conversations" and "Transparent Firewall".
      Firewall must also allow RTP and RTCP packets through. If UDP is allowed, by default RTP/RTCP packets will be allowed through. However, screening on RTP/RTCP packets can be done if so chosen.

More specifically to the above rules, the following tables will indicate which ports need to be opened on the firewall to ensure the correct operation of the OneConnect service.

Enterprise Firewall Egress Policy
Source IP      Source Port       Dest IP                   Dest Port      Protocol       Use         
 Any       5060    - .62       5060       UDP                
Any        5000    - .62       5000       UDP                
Any      5000   - .62      50020      UDP      
Any          >1024    - .62      3090         TCP                       
Any          >1024    - .62      40,000-60,000  UDP                       
 Any          >1024    - .62              80             TCP                       
  Any          >1024    - .62      443            TCP                       

 Also added per instructions:
no fixup sip lines

Current Pix Config with some items removed for clarity:
:  Mar 31, 2006 Mississauga Pix506
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password F1mqABN1rE9hwHjy encrypted
passwd E/Uylb/Ss2iBa1Xg encrypted
hostname testpix
domain-name testpix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name 192.xxx.xxx.205   Web
name 192.xxx.xxx.212 SystemLogging
name 192.xxx.xxx.200 DevelopementSvr
access-list svrs_out permit tcp any host 192.xxx.xxx.180 eq www
access-list svrs_out permit esp any host 192.xxx.xxx.181
access-list svrs_out permit udp any host 192.xxx.xxx.181 eq isakmp
access-list svrs_out permit icmp any any echo-reply
access-list localtovpnclient permit ip 192.xxx.xxx.0 192.xxx.xx1.33.0
access-list nonatinside permit ip any 192.xxx.xx1..0
access-list nonatinside permit ip 192.xxx.xxx.0 192.xxx.xx1..0
access-list nonatinside permit ip 192.xxx.xxx.0 192.xxx.xx2.0
access-list outside_cryptomap_dyn_30 permit ip any 192.xxx.xx1..0
access-list todowntown permit ip 192.xxx.xxx.0 192.xxx.xx2.0
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1..0
access-list outside_cryptomap_dyn_20 permit ip any 192.xxx.xx1.33.0
pager lines 24
logging on
logging timestamp
logging console critical
logging trap informational
logging host inside  
logging host inside SystemLogging
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside 192.xxx.xxx.3
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 192.xxx.xx1..1-192.xxx.xx1..99
ip local pool newvpnpool 192.xxx.xx1..100-192.xxx.xx1..124
ip local pool vpn1clientpool 192.xxx.xx1.33.10-192.xxx.xx1.33.99
pdm location inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 netmask
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0 0
static (inside,outside)   Web netmask 0 0
access-group svrs_out in interface outside
route outside 1
timeout conn 0:05:00 half-closed 0:05:00 udp 0:02:00 rpc 0:00:00 h225 0:00:01
timeout h323 0:05:00 mgcp 0:05:00 sip 0:15:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:01:00 absolute uauth 0:01:00 inactivity
timeout xlate 0:01:30
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.xxx.xx1..0 inside
http Peter inside
http inside
http DevelopementSvr inside
http SystemLogging inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
service resetinbound
telnet DevelopementSvr inside
telnet SystemLogging inside
telnet inside
telnet timeout 5
ssh outside
ssh outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Watch Question


> Deny Udp src outside: dst inside: by access group "svrs_out"
This is a packet being denied. It is from the normal SIP port on your provider back to your server. It is probably being denied because the udp or xlate session timeout has expired so the PIX has forgotten about the connection.

What are you trying to do?
Generally you are best off using the pix fixup for sip. In your current configuration you have no incoming rules for the RTP voice traffic which could result in no inbound audio in some situations.


Voip client required
 no fixup protocol sip 5060
no fixup protocol sip udp 5060
Which have been entered in the config.
What kind of rules for incoming RTP voice traffic?
I do get no inbound audio in some situations.
Also the ip range for the VOIP
Why am I getting deny udp from this range?
Can I use PDM to create a group and the rule required as I am
not 'fluent' in command line but can use it.
How can I increase the udp/xlate session timeout?

What are you using as the client?
Does the client always have a fixed IP address?


Clients are Nortel phones and softclients to sync/manage. [They tell me
the softclient definitely needs the udp port to function.
Phone ip address....gets from dhcp server [I think....checking now]
To get this working properly with the setup you have been told to use :-
1) Every phone and soft client will have to have a fixed IP address on the network.
2) Every phone/client will have to have a unique range of RTP ports to use assigned to it.
3) Every phone/client will have to be configured to use the public IP address within its SIP messages.
4) You will need the firewall configured to forward the RTP replies back to the clients depending on the destination port.
This is a lot of work and may be impractical or even impossible depending on the configuration options you have on the phones.

These problems arise simply because the SIP protocol is not friendly with NAT devices. There is a service called a STUN (also known as a proxy server) which helps to avoid a lot of these problems.

Or you could make use of the pix's 'fixup protocol sip' which is designed to avoid all these problems alltogether.

As they are telling you to disable the fixup and basically turning the PIX into a dumb firewall as far as SIP is concerned your provider should really tell you how to configure it. The information they have provided is simply inadequate.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


We've changed the timeout value on the softclient to less than the Pix. [Good observation grblades]. I'm hunching the pix
timesout before the client does and the client is assuming the session is still live but the pix is saying its over.  Seems to work but we'll monitor is for awhile and see.  Apparently is this type of setup the softclient takes over from the phone [hence phone works alone but not with client] and the problem arises when the sync between client/phone tries to take place.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.