13-17
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
SIP Overview
SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the ports for the
media stream. The inspection engine supports the following SIP message types. Other message types are
allowed through the FWSM, but they are not inspected.
• Messages in RFC 2543 (redefined in RFC 3261):
–
INVITE
–
ACK
–
BYE
–
CANCEL
–
REGISTER
–
Responses 1xx, 2xx, 3xx, 4xx, 5xx, 6xx
• Message in RFC 2976:
–
INFO
• Messages in RFC 3265:
–
SUBSRIBE
–
NOTIFY
• Message in RFC 3428:
–
MESSAGE
To support SIP calls through the FWSM, the FWSM inspects signaling messages for the media
connection addresses, media ports, and embryonic connections for the media, because while the
signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are
dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. The SIP
inspection engine applies NAT for these embedded IP addresses. It does not support NAT between same
security interfaces or outside NAT.
Technical Background
The SIP inspection engine NATs the SIP text-based messages, recalculates the content length for the
SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens
media connections for ports specified in the SDP portion of the SIP message as address/ports on which
the endpoint should listen.
The SIP inspection engine has a database that keeps track of information from the SIP payload that
identifies the call, as well as the source and destination. Contained within this database are the media
addresses and media ports that were contained in the SDP media information fields and the media type.
There can be multiple media addresses and ports for a session. RTP/RTCP connections are opened
between the two endpoints using these media addresses/ports. The well-known port 5060 must be used
on the initial call setup (INVITE) message. However, subsequent messages may not have this port
number. The SIP inspection engine opens signaling connection pinholes, and marks these connections
as SIP connections. This is done for the messages to reach the SIP application and be NATed.
As a call is set up, the SIP session is considered in the “transient” state until the media address and media
port is received in a Response message from the called endpoint indicating the RTP port the called
endpoint will listen on. If there is a failure to receive the response messages within one minute, the
signaling connection will be torn down.
To Next Page
Loading...
Need help?
General