This topic had previously a different name. I thought I could implement a SIP port access using an ACL rule. Thanks to user Ivan_B I have now learned that the most logical way to allow an incoming SIP VoIP connection is through an internal NAT server.
In my case this will look for SIP and SIPTLS as follow:
nat server 1 protocol tcp global current-interface 5060 inside 192.168.x.x 5060
nat server 2 protocol udp global current-interface 5060 inside 192.168.x.x 5060
nat server 3 protocol tcp global current-interface 5061 inside 192.168.x.x 5061
nat server 4 protocol udp global current-interface 5061 inside 192.168.x.x 5061
Interestingly it seems not possible to define a port range, only single port numbers are allowed. This may be due security concerns. Whatever, my old Comware 3 based 3Com OfficeConnect Gigabit VPN firewall was in this regard more flexible.
Regarding the RTP and UDPTL protocol ports the ALG mechanism should do the job. If that one works as expected, then it will map the needed UDP port dynamically.
Well, I’m sure I’ll try this out extensively. Especially regarding the UDPTL ports I am somewhat skeptical. These ports are used by the T.38 FoIP (Fax over IP) service which reacts often highly sensitive.
If anyone has an additional idea regarding this topic, - I am open to suggestions.