14-23
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 14      Inspection for Voice and Video Protocols
  SIP Inspection
SIP Inspection Overview
SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or 
“calls.” SIP works with SDP for call signaling. SDP specifies the ports for the media stream. Using SIP, 
the ASA can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP are defined in the 
following RFCs:
• SIP: Session Initiation Protocol, RFC 3261
• SDP: Session Description Protocol, RFC 2327
To support SIP calls through the ASA, signaling messages for the media connection addresses, media 
ports, and embryonic connections for the media must be inspected, because while the signaling is sent 
over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. 
Also, SIP embeds IP addresses in the user-data portion of the IP packet. Note that the maximum length 
of the SIP Request URI that the ASA supports is 255.
Instant Messaging (IM) applications also use SIP extensions (defined in RFC 3428) and SIP-specific 
event notifications (RFC 3265). After users initiate a chat session (registration/subscription), the IM 
applications use the MESSAGE/INFO methods and 202 Accept responses when users chat with each 
other. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP 
inspection engine opens pinholes that time out according to the configured SIP timeout value. This value 
must be configured at least five minutes longer than the subscription duration. The subscription duration 
is defined in the Contact Expires value and is typically 30 minutes.
Because MESSAGE/INFO requests are typically sent using a dynamically allocated port other than port 
5060, they are required to go through the SIP inspection engine.
Note SIP inspection supports the Chat feature only. Whiteboard, File Transfer, and Application Sharing are 
not supported. RTC Client 5.0 is not supported.
Limitations for SIP Inspection
SIP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0, 
8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SIP inspection might work with other releases 
and products.
SIP inspection applies NAT for embedded IP addresses. However, if you configure NAT to translate both 
source and destination addresses, the external address (“from” in the SIP header for the “trying” 
response message) is not rewritten. Thus, you should use object NAT when working with SIP traffic so 
that you avoid translating the destination address. 
The following limitations and restrictions apply when using PAT with SIP:
• If a remote endpoint tries to register with a SIP proxy on a network protected by the ASA, the 
registration fails under very specific conditions, as follows:
–
PAT is configured for the remote endpoint.
–
The SIP registrar server is on the outside network.
–
The port is missing in the contact field in the REGISTER message sent by the endpoint to the 
proxy server.