видимо это что-то связанное с этим?
Код:
4. Note that as of version 8.0(2)SR1 the phone sends UDP SIP requests from a high source port. This means that it will send from (for example) source port 50116 to SIP port 5060 on the SIP server. This is acceptable behaviour as per the SIP RFC, but it is different to the Cisco ATA and 7940 SIP software (and many but not all phones) and may have ramifications on your firewall rules if you are expecting the phone to send packets out from source port 5060 as well (as you may have with 7940 and ATAs etc). There are a few phones around which behave in the same way although most don't - this is not a cisco specific behaviour and is NOT a bug.
It seems that the phone drops all control traffic destined for it sent on any port other than port 5060 - and as per the SIP RFCs no server should ever do this anyway, but Asterisk configured with NAT=yes behind a NAT does work this way for return traffic from the server to the phone. This was a major problem as my phone service provider (who have their Asterisk server behind a NAT device) were returning traffic on high ports to my phone which it in turn dropped it. I requested them turn NAT off for my extension, and now my phone works perfectly. Ethereal analysis will show this up as return UDP traffic destined for other than port 5060, and a failure of the phone to register due to it not receiving the return messages from the server requesting the phone authenticate (or if no authentication, the phone will never see a SIP 200 OK message after registering). The problem is further complicated by SIP enabled routers, known as SIP Application Layer Gateway (ALG), under normal conditions, the router will 'smartly' alter outgoing SIP register packets by altering the port within it to match the source port of the device, so the port becomes bound to the device in NAT. So when Cisco 7961 behind a SIP-ALG NAT enabled router send a request to register from port 49521, and requests a reply to 5060, the router will replace the '5060' with '49521'. Your server will then reply to this port, despite setting nat=no, the phone will never receive the data, and will never register. Either disable the ALG in your router, use a non-SIP-ALG router, or use a different port on the server other than 5060. If you control your own asterisk, you can set your firewall to port 5060 from say, port 5061.
но как это пофиксить в фрисвитче? ума не приложу