Get access to free VOIP training. Sign up below.

SIP ALG – Cisco ASA (Version 7)

Most ASAs will have the “inspect sip” statement listed in the default policy-map.   Some service providers will recommend disabling this feature.

1. Log into the ASA through SSH, telnet or the console.

2. Once authenticated, move into “enable mode” by typing “enable”.


ASA> enable


3. Enter your password.

4. Type “show run policy-map”.  This will display all of the relevant details current policy-maps.


ASA# sh run policy-map
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy <——————- “global_policy” is the name of the policy-map used here.
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp


5. If you see the “inspect sip” statement the ASA will keep track of the UDP ports used for call control (default of 5060). It will also keep track of the UDP ports used by RTP (audio packets).

6. If your service provider recommends turning this feature on, then make no changes.

7. If the feature needs to be disabled and your policy-map is named “global_policy” you can use the below script.  You MUST be in enable mode to copy and past this.



configure terminal

policy-map global_policy
class inspection_default
no inspect sip
write mem


One thought on “SIP ALG – Cisco ASA (Version 7)

  1. you can also disable this through the GUI/ASDM screen by going to :
    (first make a backup of your current config)
    – Configuration
    – Firewall
    – Service Policy Rules
    – Edit the default global policy
    – Under Rule Actions -> Policy Inspection… Uncheck SIP

Comments are closed.