Ip Address Privacy; Configuring A Sip Inspection Policy Map For Additional Inspection Control - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
SIP Inspection
IP Address Privacy
When IP Address Privacy is enabled, if any two SIP endpoints participating in an IP phone call or instant
messaging session use the same internal firewall interface to contact their SIP proxy server on an
external firewall interface, all SIP signaling messages go through the SIP proxy server.
IP Address Privacy can be enabled when SIP over TCP or UDP application inspection is enabled. By
default, this feature is disabled. If IP Address Privacy is enabled, the FWSM does not translate internal
and external host IP addresses embedded in the TCP or UDP payload of inbound SIP traffic, ignoring
translation rules for those IP addresses.
You control whether this feature is enabled by using the ip-address-privacy command in SIP map
configuration mode.
Configuring a SIP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create a SIP inspection policy map. You can
then apply the inspection policy map when you enable SIP inspection according to the
Application Inspection" section on page
To create a SIP inspection policy map, perform the following steps:
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
Step 1
"Creating a Regular Expression" section on page
commands described in
Step 2
(Optional) Create one or more regular expression class maps to group regular expressions according to
the
Step 3
(Optional) Create a SIP inspection class map by performing the following steps.
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map if match-all is specified. Traffic must match any one of the match commands to match the
class map if the match-any keyword is used.
You can alternatively identify match commands directly in the policy map. The difference between
creating a class map and defining the traffic match directly in the inspection policy map is that the class
map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string "example.com," then any traffic that includes "example.com"
does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop-connection, reset,
drop, drop-connection log, reset log, and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly
in the policy map.
a.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-78
Step
3.
"Creating a Regular Expression Class Map" section on page
Create the class map by entering the following command:
hostname(config)# class-map type inspect sip [match-all | match-any] class_map_name
hostname(config-cmap)#
Where the class_map_name is the name of the class map. The name can be a string up to 40
characters. The match-all keyword is the default, and specifies that traffic must match all criteria to
match the class map if match-all is specified. The match-any keyword specifies that the traffic
matches the class map if any of the match commands in the class map is matched.
Chapter 22
Applying Application Layer Protocol Inspection
22-6.
20-11. See the types of text you can match in the match
20-14.s
"Configuring
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
