Cisco ASA 5506-X Configuration Manual page 220

SIP Inspection
To configure parameters that affect the inspection engine, perform the following steps:
Step 5
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
b.
disable the option:
•
•
•
•
•
•
•
•
•
•
•
Example
The following example shows how to disable instant messaging over SIP:
hostname(config)# policy-map type inspect sip mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# no im
Cisco ASA Series Firewall CLI Configuration Guide
8-28
im—Enables instant messaging.
ip-address-privacy—Enables IP address privacy, which hides the server and endpoint IP
addresses.
max-forwards-validation action {drop | drop-connection | reset | log} [log]—Checks the
value of the Max-Forwards header, which cannot be zero before reaching the destination. You
must also choose the action to take for non-conforming traffic (drop packet, drop connection,
reset, or log) and whether to enable or disable logging.
rtp-conformance [enforce-payloadtype]—Checks RTP packets flowing on the pinholes for
protocol conformance. The optional enforce-payloadtype keyword enforces the payload type
to be audio or video based on the signaling exchange.
software-version action {mask [log] | log}—Identifies the software version using the Server
and User-Agent (endpoint) header fields. You can mask the software version in the SIP
messages and optionally log it, or simply log it.
state-checking action {drop | drop-connection | reset | log} [log]—Enables state transition
checking. You must also choose the action to take for non-conforming traffic (drop packet, drop
connection, reset, or log) and whether to enable or disable logging.
strict-header-validation action {drop | drop-connection | reset | log} [log]—Enables strict
verification of the header fields in the SIP messages according to RFC 3261. You must also
choose the action to take for non-conforming traffic (drop packet, drop connection, reset, or log)
and whether to enable or disable logging.
traffic-non-sip—Allows non-SIP traffic on the well-known SIP signaling port.
trust-verification-server ip ip_address—Identifies Trust Verification Services servers, which
enable Cisco Unified IP Phones to authenticate application servers during HTTPS
establishment. You can enter the command up to four times to identify four servers. SIP
inspection opens pinholes to each server for each registered phone, and the phone decides which
to use. Configure the Trust Verification Services server on the CUCM server.
trust-verification-server port number—Identifies the Trust Verification Services port. The
default port is 2445, so use this command only if the server uses a different port. The allowed
port range is 1026 to 32768.
uri-non-sip action {mask [log] | log}—Identifies the non-SIP URIs present in the Alert-Info
and Call-Info header fields. You can mask the information in the SIP messages and optionally
log it, or simply log it.
Chapter 8 Inspection for Voice and Video Protocols