Chapter 22
Applying Application Layer Protocol Inspection
hostname(config-pmap-p)# im
To enable or disable IP address privacy, enter the following command:
c.
hostname(config-pmap-p)# ip-address-privacy
To enable check on Max-forwards header field being 0 (which cannot be 0 before reaching the
d.
destination), enter the following command:
hostname(config-pmap-p)# max-forwards-validation action {drop | drop-connection |
reset | log} [log]
To enable check on RTP packets flowing on the pinholes for protocol conformance, enter the
e.
following command:
hostname(config-pmap-p)# rtp-conformance [enforce-payloadtype]
Where the enforce-payloadtype keyword enforces the payload type to be audio or video based on
the signaling exchange.
To identify the Server and User-Agent header fields, which expose the software version of either a
f.
server or an endpoint, enter the following command:
hostname(config-pmap-p)# software-version action {mask | log} [log]
Where the mask keyword removes the SIP header containing the software version and the Alert-Info
and Call-Info header fields in the SIP messages.
To enable state checking validation, enter the following command:
g.
hostname(config-pmap-p)# state-checking action {drop | drop-connection | reset | log}
[log]
h.
To enable strict verification of the header fields in the SIP messages according to RFC 3261, enter
the following command:
hostname(config-pmap-p)# strict-header-validation action {drop | drop-connection |
reset | log} [log]
Note
To allow non SIP traffic using the well-known SIP signaling port, enter the following command.
i.
Allowing non SIP traffic using the well-known SIP signaling port is enabled by default.
hostname(config-pmap-p)# traffic-non-sip
To identify the presence of SIP headers such as the Alert-Info and Call-Info header fields in SIP
j.
messages, enter the following command:
hostname(config-pmap-p)# uri-non-sip action {mask | log} [log]
The following example shows how to disable instant messaging over SIP:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
To send a TCP reset from the universal access concentrator (UAC) to the user agent server (UAS)
when there is a violation in SIP message header, you must configure the service resetinbound
command in addition to entering the reset log keywords for the strict-header-validation
command.
When the security level is different on the inside and outside interfaces, the reset is sent to the
inside host only. To send the reset to the outside, you must configure the service resetinbound
command and enter the reset log keywords for the strict-header-validation command.
SIP Inspection
22-81