I have a question regarding SIP inspection in a PIX 515 running version 8.0(3).
The problem is that there are two different VoIP solutions inside the network, one that require SIP inspection and one that won't work if it is enabled. Since they reside in different networks I think there might be a solution.
I have tried to solve this issue using following configuration but it doesn't work. All traffic is selected for SIP inspection regardless ACL entries. Any ideas?
Network 172.20.148.0/24 on interface âinnyâ should not be submitted to SIP inspection.
access-list inspect_sip3 extended deny ip 172.20.148.0 255.255.255.0 any
access-list inspect_sip3 extended deny ip any 172.20.148.0 255.255.255.0
access-list inspect_sip3 extended permit tcp any any eq sip
access-list inspect_sip3 extended permit udp any any eq sip
SIP inspection NATs the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen.
SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload that identifies the call, as well as the source and destination. Contained within this database are the media addresses and media ports that were contained in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. RTP/RTCP connections are opened between the two endpoints using these media addresses/ports.
The well-known port 5060 must be used on the initial call setup (INVITE) message. However, subsequent messages might not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be NATed.
As a call is set up, the SIP session is considered in the transient state. This state remains until a Response message is received which indicates the RTP media address and port on which the destination endpoint listens. If there is a failure to receive the response messages within one minute, the signaling connection is torn down.
Once the final handshake is made, the call state is moved to active and the signaling connection remains until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface will not traverse the security appliance, unless the security appliance configuration specifically allows it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...