SIP Inspection
Example 22-11 Enabling and Configuring RTSP Inspection
hostname(config)# access-list rtsp_acl permit tcp any any eq 554
hostname(config)# access-list rtsp_acl permit tcp any any eq 8554
hostname(config)# class-map rtsp-traffic
hostname(config-cmap)# match access-list rtsp_acl
hostname(config-cmap)# policy-map sample_policy
hostname(config-pmap)# class rtsp_port
hostname(config-pmap-c)# inspect rtsp
hostname(config-pmap-c)# service-policy sample_policy interface outside
SIP Inspection
This section describes how to enable SIP application inspection and change the default port
configuration. This section includes the following topics:
•
•
•
•
•
•
•
•
SIP Inspection Overview
SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or
"calls." SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP,
the FWSM can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP are defined in the
following RFCs.
•
•
Supporting SIP calls through the FWSM requires inspection of signaling messages for the media
connection addresses, media ports, and embryonic connections for the media. While SIP signalling is
sent over a well-known destination port (UDP/TCP 5060), the media streams use dynamically allocated
ports. Also, SIP embeds IP addresses in the user-data portion of the IP packet and SIP inspection applies
NAT for these embedded IP addresses.
The following limitations and restrictions apply when using PAT with SIP:
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-76
SIP Inspection Overview, page 22-76
SIP Instant Messaging, page 22-77
IP Address Privacy, page 22-78
Configuring a SIP Inspection Policy Map for Additional Inspection Control, page 22-78
Configuring SIP Timeout Values, page 22-82
SIP Inspection Enhancement, page 22-82
Verifying and Monitoring SIP Inspection, page 22-86
SIP Sample Configuration, page 22-87
SIP: Session Initiation Protocol, RFC 2543
SDP: Session Description Protocol, RFC 2327
If a remote endpoint tries to register with a SIP proxy on a network protected by the FWSM, the
registration fails under very specific conditions, as follows:
PAT is configured for the remote endpoint.
–
The SIP registrar server is on the outside network.
–
The port is missing in the contact field in the REGISTER message sent by the endpoint to the
–
proxy server.
Chapter 22
Applying Application Layer Protocol Inspection
OL-20748-01