Cisco ASA 5505 Configuration Manual page 870

SIP Inspection
•
•
•
•
SIP Inspection Overview
SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or
"calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP,
the adaptive security appliance can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP
are defined in the following RFCs:
•
•
To support SIP calls through the adaptive security appliance, signaling messages for the media
connection addresses, media ports, and embryonic connections for the media must be inspected, because
while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are
dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP
inspection applies NAT for these embedded IP addresses.
The following limitations and restrictions apply when using PAT with SIP:
•
•
SIP Instant Messaging
Instant Messaging refers to the transfer of messages between users in near real-time. SIP supports the
Chat feature on Windows XP using Windows Messenger RTC Client version 4.7.0105 only. The
MESSAGE/INFO methods and 202 Accept response are used to support IM as defined in the following
RFCs:
•
•
MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two
users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens
pinholes that time out according to the configured SIP timeout value. This value must be configured at
least five minutes longer than the subscription duration. The subscription duration is defined in the
Contact Expires value and is typically 30 minutes.
Cisco ASA 5500 Series Configuration Guide using ASDM
38-24
Add/Edit SIP Policy Map (Security Level), page 38-31
Add/Edit SIP Policy Map (Details), page 38-32
Add/Edit SIP Inspect, page 38-34
SIP: Session Initiation Protocol, RFC 3261
SDP: Session Description Protocol, RFC 2327
If a remote endpoint tries to register with a SIP proxy on a network protected by the adaptive security
appliance, the registration fails under very specific conditions, as follows:
PAT is configured for the remote endpoint.
–
The SIP registrar server is on the outside network.
–
The port is missing in the contact field in the REGISTER message sent by the endpoint to the
–
proxy server.
If a SIP device transmits a packet in which the SDP portion has an IP address in the owner/creator
field (o=) that is different than the IP address in the connection field (c=), the IP address in the o=
field may not be properly translated. This is due to a limitation in the SIP protocol, which does not
provide a port value in the o= field.
Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265
Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428
Chapter 38 Configuring Inspection for Voice and Video Protocols
OL-20339-01