ADTRAN AOS Version R10.1.0 Command Reference Manual page 1006

Command Reference Guide Global Configuration Mode Command Set
The following example enables ALG for MSN:
(config)#ip firewall alg msn
Technology Review
SIP is one protocol in a suite of protocols that was designed to replace H.323 for IP telephony. SIP
operates in Layer 7 of the OSI model (application level) to create, modify, and terminate sessions between
nodes. SIP not only provides recommendations for IP telephony, but multimedia distribution and
conferences as well. SIP version 1.0 was defined in RFC 2453, and was refined to SIP version 2.0 in
RFC 3261.
SIP operations occur between SIP UAs and SIP servers. Types of SIP servers include proxy, redirect,
registrar, and presence. The part of a SIP UA that sends messages is known as the user agent client
(UAC). The part of a SIP UA that receives messages is known as a user agent server (UAS).
SIP was originally designed for use over User Datagram Protocol (UDP). SIP servers, by default, listen on
port 5060. Due to security concerns, SIP is now transitioning to Transmission Control Protocol (TCP) and
transport layer security (TLS). SIP servers using TLS-over-TCP listen on port 5061. SIP UAs listen on a
range of ports.
SIP uses the Session Description Protocol (SDP) to format the SIP message body in order to negotiate a
Realtime Transport Protocol (RTP)/Realtime Transport Control Protocol (RTCP) connection between two
or more UAs. The ports used for this will always be selected in a pair, with the even port used for RTP and
the odd port for RTCP. SIP, because it uses SDP and RTP, causes many problems for standard firewalls.
Neither SIP nor RTP are guaranteed to be symmetric, thus causing problems for stateful inspection
firewalls that rely on symmetric flows. SIP and SDP carry IP addresses and ports embedded in the packet,
and standard NAT implementations only modify the IP and TCP/UDP headers. A true SIP ALG is required
to modify the packets as needed for NAT, but also to open holes in the firewall as needed for traffic flow
based on the information carried in the SIP header.
Enabling the AOS SIP ALG (using the ip firewall alg sip command) configures the firewall to examine the
ALL SIP packets it identifies and maintain knowledge of SIP transmissions on the network. Since SIP
packet headers include port information for the call setup, the ALG must intelligently read the packets and
remember the information.
60000CRG0-35E Copyright © 2012 ADTRAN, Inc. 1006