- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco Firewall
- Zone-Based Policy Firewall High Availability
- Interchassis Asymmetric Routing Support for Zone-Based Policy Firewalls
- WAAS Support in Zone-Based Firewalls
- Zone-Based Firewall Logging Export Using NetFlow
- Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Firewall-H.323 V3 V4 Support
- H.323 RAS Support
- Application Inspection and Control for SMTP
- Subscription-Based Cisco IOS Content Filtering
- Cisco IOS Firewall Support for Skinny Local Traffic and CME
- User-Based Firewall Support
- On-Device Management for Security Features
- Finding Feature Information
- Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Restrictions for Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC
- How to Configure Cisco IOS Firewall-SIP Enhancements ALG and AIC
Cisco IOS Firewall-SIP Enhancements ALG and AIC
Enhanced Session Initiation Protocol (SIP) inspection in the Cisco IOS firewall provides basic SIP inspect functionality (SIP packet inspection and pinholes opening) as well as protocol conformance and application security. These enhancements give you more control than in previous releases on what policies and security checks to apply to SIP traffic and the capability to filter out unwanted messages or users.
The development of additional SIP functionality in Cisco IOS software provides increased support for Cisco Call Manager (CCM), Cisco Call Manager Express (CCME), and Cisco IP-IP Gateway based voice/video systems. Application Layer Gateway (ALG), and Application Inspection and Control (AIC) SIP enhancements also support RFC 3261 and its extensions.
- Finding Feature Information
- Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Restrictions for Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC
- How to Configure Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Configuration Examples for Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Additional References
- Feature Information for Cisco IOS Firewall-SIP Enhancements ALG and AIC
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Cisco IOS Firewall-SIP Enhancements ALG and AIC
The following prerequisites apply to the configuration of Cisco IOS Firewall--SIP Enhancements: ALG and AIC.
Hardware Requirements
Software Requirements
Cisco IOS Release 12.4(15)XZ or a later release.
Restrictions for Cisco IOS Firewall-SIP Enhancements ALG and AIC
DNS Name Resolution
Although SIP methods can have Domain Name System (DNS) names instead of raw IP addresses, this feature currently does not support DNS names.
Earlier Releases of Cisco IOS Software
Some Cisco IOS releases earlier than Release 12.4(15)XZ may accept the configuration commands for SIP that are shown in this document; however, those earlier versions will not function properly.
Information About Cisco IOS Firewall-SIP Enhancements ALG and AIC
Firewall and SIP Overviews
This section provides an overview of the Cisco IOS firewall and SIP.
Cisco IOS Firewall
The Cisco IOS firewall extends the concept of static access control lists (ACLs) by introducing dynamic ACL entries that open on the basis of the necessary application ports on a specific application and close these ports at the end of the application session. The Cisco IOS firewall achieves this functionality by inspecting the application data, checking for conformance of the application protocol, extracting the relevant port information to create the dynamic ACL entries, and closing these ports at the end of the session. The Cisco IOS firewall is designed to easily allow a new application inspection whenever support is needed.
Session Initiation Protocol
SIP is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP is based on an HTTP-like request/response transaction model. Each transaction consists of a request that invokes a particular method or function on the server and at least one response.
SIP invitations used to create sessions carry session descriptions that allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to the user’s current location, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users. SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols.
Firewall for SIP Functionality Description
The Firewall for SIP Support feature allows SIP signaling requests to traverse directly between gateways or through a series of proxies to the destination gateway or phone. After the initial request, if the Record-Route header field is not used, subsequent requests can traverse directly to the destination gateway address as specified in the Contact header field. Thus, the Cisco IOS firewall is aware of all surrounding proxies and gateways and allows the following functionality:
SIP signaling responses can travel the same path as SIP signaling requests.
Subsequent signaling requests can travel directly to the endpoint (destination gateway).
Media endpoints can exchange data between each other.
SIP UDP and TCP Support
RFC 3261 is the current RFC for SIP, which replaces RFC 2543. This feature supports the SIP User Datagram Protocol (UDP) and the TCP format for signaling.
SIP Inspection
This section describes the deployment scenarios supported by the Cisco IOS Firewall--SIP, ALG, and AIC Enhancements feature.
Cisco IOS Firewall Between SIP Phones and CCM
The Cisco IOS firewall is located between CCM or CCME and SIP phones. SIP phones are registered to CCM or CCME through the firewall, and any SIP calls from or to the SIP phones pass through the firewall.
Cisco IOS Firewall Between SIP Gateways
The Cisco IOS firewall is located between two SIP gateways, which can be CCM, CCME, or a SIP proxy. Phones are registered with SIP gateways directly. The firewall sees the SIP session or traffic only when there is a SIP call between phones registered to different SIP gateways. In some scenarios an IP-IP gateway can also be configured on the same device as the firewall. With this scenario all the calls between the SIP gateways are terminated in the IP-IP gateway.
Cisco IOS Firewall with Local CCME and Remote CCME/CCCM
The Cisco IOS firewall is located between two SIP gateways, which can be CCM, CCME, or a SIP proxy. One of the gateways is configured on the same device as the firewall. All the phones registered to this gateway are locally inspected by the firewall. The firewall also inspects SIP sessions between the two gateways when there is a SIP call between them. With this scenario the firewall locally inspects SIP phones on one side and SIP gateways on the other side.
Cisco IOS Firewall with Local CCME
The Cisco IOS firewall and CCME is configured on the same device. All the phones registered to the CCME are locally inspected by the firewall. Any SIP call between any of the phones registered will also be inspected by the Cisco IOS firewall.
How to Configure Cisco IOS Firewall-SIP Enhancements ALG and AIC
- Configuring a Policy to Allow RFC 3261 Methods
- Configuring a Policy to Block Messages
- Configuring a 403 Response Alarm
- Limiting Application Messages
- Limiting Application Messages for a Particular Proxy
- Verifying and Troubleshooting Cisco IOS Firewall-SIP Enhancements ALG and AIC
Configuring a Policy to Allow RFC 3261 Methods
Perform this task to configure a policy to allow basic RFC 3261 methods and block extension methods.
Note | The Cisco IOS Firewall--SIP Enhancements: ALG and AIC feature provides essential support for the new SIP methods such as UPDATE and PRACK, as CCM 5.x and CCME 4.x also use these methods. |
1.
enable
2.
configure
terminal
3.
class-map
type
inspect
protocol-name
match-any
class-map-name
4.
match
request
method
method-name
5.
exit
6.
class-map
type
inspect
protocol-name
match-any
class-map-name
7.
match
request
method
method-name
8.
exit
9.
policy-map
type
inspect
protocol-name
policy-map-name
10.
class
type
inspect
protocol-name
class-map-name
11.
allow
12.
exit
13.
class
type
inspect
protocol-name
class-map-name
14.
reset
15.
exit
DETAILED STEPS
Configuring a Policy to Block Messages
Perform this task to configure a policy to block SIP messages coming from a particular proxy device.
1.
enable
2.
configure
terminal
3.
parameter-map
type
regex
parameter-map-name
4.
pattern
url-pattern
5.
exit
6.
class-map
type
inspect
protocol-name
class-map-name
7.
match
request
header
field
regex
regex-param-map
8.
exit
9.
policy-map
type
inspect
protocol-name
policy-map-name
10.
class
type
inspect
protocol-name
class-map-name
11.
reset
12.
exit
DETAILED STEPS
Configuring a 403 Response Alarm
Perform this task to configure a policy to generate an alarm whenever a 403 response is returned.
1.
enable
2.
configure
terminal
3.
parameter-map
type
regex
parameter-map-name
4.
pattern
url-pattern
5.
exit
6.
class-map
type
inspect
protocol-name
class-map-name
7.
match
response
status
regex
regex-parameter-map
8.
exit
9.
policy-map
type
inspect
protocol-name
policy-map-name
10.
class
type
inspect
protocol-name
class-map-name
11.
log
12.
exit
DETAILED STEPS
Limiting Application Messages
Perform this task to configure a policy to rate-limit INVITE messages.
Note | While configuring the rate-limit command, do not configure the allow or reset commands. An error message is displayed if you try to configure the allow or reset commands while configuring the rate-limit command and vice versa. |
1.
enable
2.
configure
terminal
3.
class-map
type
inspect
protocol-name
match-any
class-map-name
4.
match
request
method
method-name
5.
exit
6.
policy-map
type
inspect
protocol-name
policy-map-name
7.
class
type
inspect
protocol-name
class-map-name
8.
rate-limit
limit-number
9.
exit
10.
exit
11.
class-map
type
inspect
match-any
class-map-name
12.
match
protocol
protocol-name
13.
exit
14.
policy-map
type
inspect
policy-map-name
15.
class
type
inspect
class-map-name
16.
inspect
17.
service-policy
protocol-name
policy-map-name
18.
exit
DETAILED STEPS
Limiting Application Messages for a Particular Proxy
Perform this task to configure a policy to rate-limit INVITE messages coming for a particular proxy.
1.
enable
2.
configure
terminal
3.
parameter-map
type
regex
parameter-map-name
4.
pattern
url-pattern
5.
exit
6.
class-map
type
inspect
protocol-name
match-any
class-map-name
7.
match
request
method
method-name
8.
match
request
header
field
regex
regex-param-map
9.
exit
10.
policy-map
type
inspect
protocol-name
policy-map-name
11.
class
type
inspect
protocol-name
class-map-name
12.
rate-limit
limit-number
13.
exit
14.
exit
15.
class-map
type
inspect
match-any
class-map-name
16.
match
protocol
protocol-name
17.
exit
18.
policy-map
type
inspect
policy-map-name
19.
class
type
inspect
class-map-name
20.
inspect
21.
service-policy
protocol-name
policy-map-name
22.
exit
DETAILED STEPS
Verifying and Troubleshooting Cisco IOS Firewall-SIP Enhancements ALG and AIC
The following commands can be used to troubleshoot the Cisco IOS Firewall--SIP Enhancements: ALG and AIC feature:
clear zone-pair
debug cce
debug ip inspect
debug policy-map type inspect
show policy-map type inspect zone-pair
show zone-pair security
Note | Effective with Cisco IOS Release 12.4(20)T, the debug ip inspect command is replaced by the debug policy-firewall command. See the Cisco IOS Debug Command Reference for more information. |
Examples
The following is sample output of the show policy-map type inspect zone-pair command when the session keyword is used.
Router# show policy-map type inspect zone-pair session policy exists on zp zp_test_out_self Zone-pair: zp_test_out_self Service-policy inspect : test Class-map: c_sip (match-any) ... Number of Established Sessions = 2 Established Sessions Session 6717A7A0 (192.168.105.118:62265)=>(192.168.105.2:5060) sip:udp SIS_OPEN Created 00:10:27, Last heard 00:00:03 Bytes sent (initiator:responder) [35579:14964] Session 67179EA0 (192.168.105.119:62266)=>(192.168.105.2:5060) sip:udp SIS_OPEN Created 00:10:27, Last heard 00:03:17 Bytes sent (initiator:responder) [10689:4093] Number of Pre-generated Sessions = 7 Pre-generated Sessions Pre-gen session 6717A560 192.168.105.2[1024:65535]=>192.168.105.118[62265:62265] sip:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0] Pre-gen session 67179C60 192.168.105.2[1024:65535]=>192.168.105.119[62266:62266] sip:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0] Pre-gen session 67176F60 192.168.105.118[1024:65535]=>192.168.105.2[5060:5060] sip:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0] Pre-gen session 67176AE0 192.168.105.118[1024:65535]=>192.168.105.2[18318:18318] sip-RTP-data:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0] Pre-gen session 671768A0 192.168.105.2[1024:65535]=>192.168.105.118[62495:62495] sip-RTP-data:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0] Pre-gen session 671783A0 192.168.105.118[1024:65535]=>192.168.105.2[18319:18319] sip-RTCP-data:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0] Pre-gen session 67176420 192.168.105.2[1024:65535]=>192.168.105.118[62496:62496] sip-RTCP-data:udp Created never, Last heard never Bytes sent (initiator:responder) [0:0]
The following is sample output of the show zone-pair security command.
Router# show zone-pair security Zone-pair name zp_in_out Source-Zone inside Destination-Zone outside service-policy test Zone-pair name zp_in_self Source-Zone inside Destination-Zone self service-policy test Zone-pair name zp_self_out Source-Zone self Destination-Zone outside service-policy test
Configuration Examples for Cisco IOS Firewall-SIP Enhancements ALG and AIC
Example Firewall and SIP Configuration
The following example shows how to configure the Cisco IOS Firewall--SIP Enhancements: ALG and AIC feature when the Cisco IOS firewall is located between two SIP gateways (CCM or CCME), as described in the Cisco IOS Firewall Between SIP Gateways. Some phones are registered to the CCME inside the firewall (inside zone). Other phones are registered to another CCME / CCM outside the firewall (outside zone). Cisco IOS firewall is configured for SIP inspection when there is no IP-IP gateway configured on the firewall device.
class-map type inspect sip match-any sip-aic-class match request method invite policy-map type inspect sip sip-aic-policy class type inspect sip sip-aic-class rate-limit 15 ! policy-map type inspect sip-policy class type inspect sip-traffic-class service-policy sip sip-aic-policy ! class-map type inspect match-any sip-traffic-class match protocol sip ! policy-map type inspect sip-policy class type inspect sip-traffic-class inspect my-parameters ! zone security inside zone security outside ! interface fastethernet 0 zone-member security inside interface fastethernet 1 zone-member security outside ! zone-pair security in-out source inside destination outside service-policy type inspect sip-policy ! zone-pair security in-self source inside destination self service-policy type inspect sip-policy
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco IOS firewall commands |
Cisco IOS Security Command Reference |
SIP information and configuration tasks |
Configuring Session Initiation Protocol for Voice over IP” module in the Cisco IOS Voice, Video, and Fax Configuration Guide |
Additional SIP Information |
Guide to Cisco Systems VoIP Infrastructure Solution for SIP |
MIBs
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
RFC 3261 |
SIP: Session Initiation Protocol |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Cisco IOS Firewall-SIP Enhancements ALG and AIC
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Cisco IOS Firewall--SIP Enhancements: ALG and AIC |
12.4(15)XZ 12.4(20)T |
This feature provides voice security enhancements within the firewall feature set in Cisco IOS software for Release 12.4(15)XZ and later releases. In Release 12.4(15)XZ, this feature was introduced on the Cisco 861, Cisco 881, and Cisco 881G routers. In Release 12.4(20)T, this feature was implemented on the Cisco 1700, Cisco 1800, Cisco 2600, Cisco 2800, Cisco 3700, Cisco 3800, Cisco 7200, and Cisco 7300 routers. The following commands were introduced or modified: class-map type inspect, match protocol, match protocol-violation, match req-resp, match request, match response, policy-map type inspect, rate-limit (firewall). |