Cisco ASA Series Configuration Manual page 347
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 14
Inspection for Voice and Video Protocols
Set one or more parameters. You can set the following options; use the no form of the command to
b.
disable the option:
•
•
•
•
•
•
•
•
•
•
•
Example
The following example shows how to disable instant messaging over SIP:
hostname(config)# policy-map type inspect sip mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# no im
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect sip mymap
hostname(config)# service-policy global_policy global
The following example shows how to identify four Trust Verification Services servers.
im—Enables instant messaging.
ip-address-privacy—Enables IP address privacy, which hides the server and endpoint IP
addresses.
max-forwards-validation action {drop | drop-connection | reset | log} [log]—Checks the
value of the Max-Forwards header, which cannot be zero before reaching the destination. You
must also choose the action to take for non-conforming traffic (drop packet, drop connection,
reset, or log) and whether to enable or disable logging.
rtp-conformance [enforce-payloadtype]—Checks RTP packets flowing on the pinholes for
protocol conformance. The optional enforce-payloadtype keyword enforces the payload type
to be audio or video based on the signaling exchange.
software-version action {mask [log] | log}—Identifies the software version using the Server
and User-Agent (endpoint) header fields. You can mask the software version in the SIP
messages and optionally log it, or simply log it.
state-checking action {drop | drop-connection | reset | log} [log]—Enables state transition
checking. You must also choose the action to take for non-conforming traffic (drop packet, drop
connection, reset, or log) and whether to enable or disable logging.
strict-header-validation action {drop | drop-connection | reset | log} [log]—Enables strict
verification of the header fields in the SIP messages according to RFC 3261. You must also
choose the action to take for non-conforming traffic (drop packet, drop connection, reset, or log)
and whether to enable or disable logging.
traffic-non-sip—Allows non-SIP traffic on the well-known SIP signaling port.
trust-verification-server ip ip_address—Identifies Trust Verification Services servers, which
enable Cisco Unified IP Phones to authenticate application servers during HTTPS
establishment. You can enter the command up to four times to identify four servers. SIP
inspection opens pinholes to each server for each registered phone, and the phone decides which
to use. Configure the Trust Verification Services server on the CUCM server.
trust-verification-server port number—Identifies the Trust Verification Services port. The
default port is 2445, so use this command only if the server uses a different port. The allowed
port range is 1026 to 32768.
uri-non-sip action {mask [log] | log}—Identifies the non-SIP URIs present in the Alert-Info
and Call-Info header fields. You can mask the information in the SIP messages and optionally
log it, or simply log it.
Cisco ASA Series Firewall CLI Configuration Guide
SIP Inspection
14-27
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
