Cisco ASA SIP/RTP inspection question I have following scenario: [VoIP phone]--------[ASA 5550]----------[SIP Server] * VoIP phone: 10.0.0.10 * SIP server: Public Address Question: 1. In above scenario do i need to specify or open RTP port range `10000-20000` on ASA or does ASA will use `pinhole` method when VoIP phone initiate connection to SIP server? 2. How does firewall handle UDP port stat? because in TCP we know its stateful but how does firewall understand its UDP traffic initiated from inside to outside to keep that port open bi-directional traffic? 3. If i enable `SIP Inspection` does that automatically open RTP media port after `SDP` inspection in `INVITE`? 4. what if i do not enable `SIP Inspection` in that case do i need to open full RTP port range to allow outside to inside traffic?

Assuming that your VOIP phone is on remote site and you are connected to firewall through VPN(IKEv1 or IKEv2) connection. Your end terminal is able to reach SIP server on some port 5060,5061 or any other port and successfully registers itself with SIP server.

Then, I think you do not need to explicitly open port for SIP and RTP messages as ASA will automatically create necessary pinholes.