Sip Inspection Overview; Limitations For Sip Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 14
Inspection for Voice and Video Protocols
SIP Inspection Overview
SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or
"calls." SIP works with SDP for call signaling. SDP specifies the ports for the media stream. Using SIP,
the ASA can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP are defined in the
following RFCs:
•
•
To support SIP calls through the ASA, signaling messages for the media connection addresses, media
ports, and embryonic connections for the media must be inspected, because while the signaling is sent
over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated.
Also, SIP embeds IP addresses in the user-data portion of the IP packet. Note that the maximum length
of the SIP Request URI that the ASA supports is 255.
Instant Messaging (IM) applications also use SIP extensions (defined in RFC 3428) and SIP-specific
event notifications (RFC 3265). After users initiate a chat session (registration/subscription), the IM
applications use the MESSAGE/INFO methods and 202 Accept responses when users chat with each
other. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP
inspection engine opens pinholes that time out according to the configured SIP timeout value. This value
must be configured at least five minutes longer than the subscription duration. The subscription duration
is defined in the Contact Expires value and is typically 30 minutes.
Because MESSAGE/INFO requests are typically sent using a dynamically allocated port other than port
5060, they are required to go through the SIP inspection engine.
Note
SIP inspection supports the Chat feature only. Whiteboard, File Transfer, and Application Sharing are
not supported. RTC Client 5.0 is not supported.
Limitations for SIP Inspection
SIP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0,
8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SIP inspection might work with other releases
and products.
SIP inspection applies NAT for embedded IP addresses. However, if you configure NAT to translate both
source and destination addresses, the external address ("from" in the SIP header for the "trying"
response message) is not rewritten. Thus, you should use object NAT when working with SIP traffic so
that you avoid translating the destination address.
The following limitations and restrictions apply when using PAT with SIP:
•
SIP: Session Initiation Protocol, RFC 3261
SDP: Session Description Protocol, RFC 2327
If a remote endpoint tries to register with a SIP proxy on a network protected by the ASA, the
registration fails under very specific conditions, as follows:
PAT is configured for the remote endpoint.
–
The SIP registrar server is on the outside network.
–
The port is missing in the contact field in the REGISTER message sent by the endpoint to the
–
proxy server.
Cisco ASA Series Firewall CLI Configuration Guide
SIP Inspection
14-23
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
