Cisco ASA 5506-X Configuration Manual page 217
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 8
Inspection for Voice and Video Protocols
As a call is set up, the SIP session is in the "transient" state until the media address and media port is
received from the called endpoint in a Response message indicating the RTP port the called endpoint
listens on. If there is a failure to receive the response messages within one minute, the signaling
connection is torn down.
Once the final handshake is made, the call state is moved to active and the signaling connection remains
until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface
to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified
in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside
interface does not traverse the ASA, unless the ASA configuration specifically allows it.
Default SIP Inspection
SIP inspection is enabled by default using the default inspection map, which includes the following:
•
•
•
•
•
•
•
Also note that inspection of encrypted traffic is not enabled. You must configure a TLS proxy to inspect
encrypted traffic.
Configure SIP Inspection
SIP application inspection provides address translation in message header and body, dynamic opening
of ports and basic sanity checks. It also supports application security and protocol conformance, which
enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
SIP inspection is enabled by default. You need to configure it only if you want non-default processing,
or if you want to identify a TLS proxy to enable encrypted traffic inspection. If you want to customize
SIP inspection, use the following process.
Procedure
Configure SIP Inspection Policy Map, page 8-25
Step 1
Step 2
Configure the SIP Inspection Service Policy, page 8-29
Configure SIP Inspection Policy Map
You can create a SIP inspection policy map to customize SIP inspection actions if the default inspection
behavior is not sufficient for your network.
SIP instant messaging (IM) extensions: Enabled.
Non-SIP traffic on SIP port: Permitted.
Hide server's and endpoint's IP addresses: Disabled.
Mask software version and non-SIP URIs: Disabled.
Ensure that the number of hops to destination is greater than 0: Enabled.
RTP conformance: Not enforced.
SIP conformance: Do not perform state checking and header validation.
Cisco ASA Series Firewall CLI Configuration Guide
SIP Inspection
8-25
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
