38-30
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 38 Configuring Inspection for Voice and Video Protocols
SIP Inspection
SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and
instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP
networks are subject to a large number of security threats.
SIP application inspection provides address translation in message header and body, dynamic opening
of ports and basic sanity checks. It also supports application security and protocol conformance, which
enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
Fields
• SIP Inspect Maps—Table that lists the defined SIP inspect maps.
• Add—Configures a new SIP inspect map. To edit a SIP inspect map, choose the SIP entry in the SIP
Inspect Maps table and click Customize.
• Delete—Deletes the inspect map selected in the SIP Inspect Maps table.
• Security Level—Select the security level (high or low).
–
Low—Default.
SIP instant messaging (IM) extensions: Enabled.
Non-SIP traffic on SIP port: Permitted.
Hide server’s and endpoint’s IP addresses: Disabled.
Mask software version and non-SIP URIs: Disabled.
Ensure that the number of hops to destination is greater than 0: Enabled.
RTP conformance: Not enforced.
SIP conformance: Do not perform state checking and header validation.
–
Medium
SIP instant messaging (IM) extensions: Enabled.
Non-SIP traffic on SIP port: Permitted.
Hide server’s and endpoint’s IP addresses: Disabled.
Mask software version and non-SIP URIs: Disabled.
Ensure that the number of hops to destination is greater than 0: Enabled.
RTP conformance: Enforced.
Limit payload to audio or video, based on the signaling exchange: No
SIP conformance: Drop packets that fail state checking.
–
High
SIP instant messaging (IM) extensions: Enabled.
Non-SIP traffic on SIP port: Denied.
Hide server’s and endpoint’s IP addresses: Disabled.
Mask software version and non-SIP URIs: Enabled.
Ensure that the number of hops to destination is greater than 0: Enabled.
RTP conformance: Enforced.
Limit payload to audio or video, based on the signaling exchange: Yes
SIP conformance: Drop packets that fail state checking and packets that fail header validation.
–
Customize—Opens the Add/Edit SIP Policy Map dialog box for additional settings.
To Next Page
Loading...
Need help?
General
