Configuring A Sip Inspection Policy Map For Additional Inspection Control - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
As a call is set up, the SIP session is in the "transient" state until the media address and media port is
received from the called endpoint in a Response message indicating the RTP port the called endpoint
listens on. If there is a failure to receive the response messages within one minute, the signaling
connection is torn down.
Once the final handshake is made, the call state is moved to active and the signaling connection remains
until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface
to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified
in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside
interface does not traverse the security appliance, unless the security appliance configuration
specifically allows it.
Configuring a SIP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create a SIP inspection policy map. You can
then apply the inspection policy map when you enable SIP inspection according to the
Application Inspection" section on page
To create a SIP inspection policy map, perform the following steps:
Step 1
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
"Creating a Regular Expression" section on page
commands described in
(Optional) Create one or more regular expression class maps to group regular expressions according to
Step 2
the
(Optional) Create a SIP inspection class map by performing the following steps.
Step 3
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map. You can alternatively identify match commands directly in the policy map. The difference
between creating a class map and defining the traffic match directly in the inspection policy map is that
the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string "example.com," then any traffic that includes "example.com"
does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop-connection, reset,
and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly
in the policy map.
a.
b.
OL-12172-03
Step
3.
"Creating a Regular Expression Class Map" section on page
Create the class map by entering the following command:
hostname(config)# class-map type inspect sip [match-all | match-any] class_map_name
hostname(config-cmap)#
Where the class_map_name is the name of the class map. The match-all keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword
specifies that the traffic matches the class map if it matches at leX( The CLI enters class-map
configuration mode, where you can enter one or more match commands.
(Optional) To add a description to the class map, enter the following command:
hostname(config-cmap)# description string
25-5.
21-6. See the types of text you can match in the match
21-9.s
Cisco Security Appliance Command Line Configuration Guide
SIP Inspection
"Configuring
25-67
Advertisement
Table of Contents
Troubleshooting
