Cisco ASA 5506-X Configuration Manual page 215

Chapter 8 Inspection for Voice and Video Protocols
SIP Inspection
SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and
instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP
networks are subject to a large number of security threats.
SIP application inspection provides address translation in message header and body, dynamic opening
of ports and basic sanity checks. It also supports application security and protocol conformance, which
enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
SIP inspection is enabled by default. You need to configure it only if you want non-default processing,
or if you want to identify a TLS proxy to enable encrypted traffic inspection. The following topics
explain SIP inspection in more detail.
•
•
•
•
•
•
•
SIP Inspection Overview
SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or
"calls." SIP works with SDP for call signaling. SDP specifies the ports for the media stream. Using SIP,
the ASA can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP are defined in the
following RFCs:
•
•
To support SIP calls through the ASA, signaling messages for the media connection addresses, media
ports, and embryonic connections for the media must be inspected, because while the signaling is sent
over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated.
Also, SIP embeds IP addresses in the user-data portion of the IP packet. Note that the maximum length
of the SIP Request URI that the ASA supports is 255.
Limitations for SIP Inspection
SIP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0,
8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SIP inspection might work with other releases
and products.
SIP inspection applies NAT for embedded IP addresses. However, if you configure NAT to translate both
source and destination addresses, the external address ("from" in the SIP header for the "trying"
response message) is not rewritten. Thus, you should use object NAT when working with SIP traffic so
that you avoid translating the destination address.
The following limitations and restrictions apply when using PAT with SIP:
SIP Inspection Overview, page 8-23
Limitations for SIP Inspection, page 8-23
SIP Instant Messaging, page 8-24
Default SIP Inspection, page 8-25
Configure SIP Inspection, page 8-25
Configure SIP Timeout Values, page 8-30
Verifying and Monitoring SIP Inspection, page 8-31
SIP: Session Initiation Protocol, RFC 3261
SDP: Session Description Protocol, RFC 2327
Cisco ASA Series Firewall CLI Configuration Guide
SIP Inspection
8-23