8-25
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 Inspection for Voice and Video Protocols
SIP Inspection
As a call is set up, the SIP session is in the “transient” state until the media address and media port is
received from the called endpoint in a Response message indicating the RTP port the called endpoint
listens on. If there is a failure to receive the response messages within one minute, the signaling
connection is torn down.
Once the final handshake is made, the call state is moved to active and the
signaling connection remains
until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface
to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified
in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside
interface does not traverse the ASA, unless the ASA
configuration specifically allows it.
Default SIP Inspection
SIP inspection is enabled by default using the default inspection map, which includes the following:
•
SIP instant messaging (IM) extensions: Enabled.
•
Non-SIP traffic on SIP port: Permitted.
•
Hide server’s and endpoint’s IP addresses: Disabled.
•
Mask software version and non-SIP URIs: Disabled.
•
Ensure that the number of hops to destination is greater than 0: Enabled.
•
RTP conformance: Not enforced.
•
SIP conformance: Do not perform state checking and header validation.
Also note that inspection of encrypted traffic is not enabled. You must configure a TLS proxy to inspect
encrypted traffic.
Configure SIP Inspection
SIP application inspection provides address translation in message header and body, dynamic opening
of ports and basic sanity checks. It also supports application security and protocol conformance, which
enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
SIP inspection is enabled by default. You need to configure it only if you want non-default processing,
or if you want to identify a TLS proxy to enable encrypted traffic inspection. If you want to customize
SIP inspection, use the following process.
Procedure
Step 1
Configure SIP Inspection Policy Map, page 8-25
Step 2
Configure the SIP Inspection Service Policy, page 8-29
Configure SIP Inspection Policy Map
You can create a SIP inspection policy map to customize SIP inspection actions if the default inspection
behavior is not sufficient for your network.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...