Help! - Cisco PIX - breaks SIP Digest authentication

Archived from groups: comp.dcom.voice-over-ip (More info?)

Hi

I have a SIP proxy server behind a Cisco PIX box, and need external
UAs to be able to place calls through it. Since the SIP proxy handles
the required address translations, I do not need the PIX to do any
fixup. I have therefore disabled the fixup in the configuration file.

However, the PIX is still insisting on replacing the IP address in the
URI part of the digest authentication header. Since the URI forms part
of the data over which the MD5 digest is calculated, this in turn
invalidates the authentication response and authentication fails.

If I connect the proxy directly to the internet (i.e. bypass the PIX),
then the authentication works fine.

Is there any way to stop the PIX interferring here? It appears that
there is no way to disable the SIP fixup for UDP-encapsulated SIP - I
found this on the Cisco site...

'Application inspection of UDP for SIP is always enabled—it is
currently not configurable.'

If this is the case, how can digest authentication for SIP ever work
through a PIX?

Mike