Default Sip Inspection; Configure Sip Inspection; Configure Sip Inspection Policy Map - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
SIP Inspection
•
•
Default SIP Inspection
SIP inspection is enabled by default using the default inspection map, which includes the following:
•
•
•
•
•
•
•
Also note that inspection of encrypted traffic is not enabled. You must configure a TLS proxy to inspect
encrypted traffic.
Configure SIP Inspection
SIP application inspection provides address translation in message header and body, dynamic opening
of ports and basic sanity checks. It also supports application security and protocol conformance, which
enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
SIP inspection is enabled by default. You need to configure it only if you want non-default processing,
or if you want to identify a TLS proxy to enable encrypted traffic inspection. If you want to customize
SIP inspection, use the following process.
Procedure
Configure SIP Inspection Policy Map, page 14-24
Step 1
Configure the SIP Inspection Service Policy, page 14-28
Step 2
Configure SIP Inspection Policy Map
You can create a SIP inspection policy map to customize SIP inspection actions if the default inspection
behavior is not sufficient for your network.
When defining traffic matching criteria, you can either create a class map or include the match
statements directly in the policy map. The following procedure explains both approaches.
Cisco ASA Series Firewall CLI Configuration Guide
14-24
If a SIP device transmits a packet in which the SDP portion has an IP address in the owner/creator
field (o=) that is different than the IP address in the connection field (c=), the IP address in the o=
field may not be properly translated. This is due to a limitation in the SIP protocol, which does not
provide a port value in the o= field.
When using PAT, any SIP header field which contains an internal IP address without a port might
not be translated and hence the internal IP address will be leaked outside. If you want to avoid this
leakage, configure NAT instead of PAT.
SIP instant messaging (IM) extensions: Enabled.
Non-SIP traffic on SIP port: Permitted.
Hide server's and endpoint's IP addresses: Disabled.
Mask software version and non-SIP URIs: Disabled.
Ensure that the number of hops to destination is greater than 0: Enabled.
RTP conformance: Not enforced.
SIP conformance: Do not perform state checking and header validation.
Chapter 14
Inspection for Voice and Video Protocols
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
