Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4

ACK

Confirms receipt of a final response to INVITE

BYE

Is sent by either side to end the call

CANCEL

Is sent to end a call that has not yet been connected

INVITE

Is a request from a User Agent Client (UAC) to initiate a session

OPTIONS

Are sent to query capabilities of the user agents and network servers

REGISTER

Is sent by the client to register the address with a SIP proxy

1xx Informational

•100 = Trying

•180 = Ringing

•181 = Call Is Being Forwarded

•182 = Queued

•183 = Session Progress

2xx Successful

•200 = OK

3xx Redirection

•300 = Multiple Choices

•301 = Moved Permanently

•302 = Moved Temporarily

•303 = See Other

•305 = Use Proxy

•380 = Alternative Service

4xx Request Failure

•400 = Bad Request

•401 = Unauthorized

•402 = Payment Required

•403 = Forbidden

•404 = Not Found

•405 = Method Not Allowed

•406 = Not Acceptable

•407 = Proxy Authentication Required

•408 = Request Timeout

•409 = Conflict

•410 = Gone

•411 = Length Required

•413 = Request Entity Too Large

•414 = Request URI Too Large

•415 = Unsupported Media Type

•420 = Bad Extension

•480 = Temporarily Not Available

•481 = Call Leg/Transaction Does Not Exist

4xx Request Failure (continued)

•482 = Loop Detected

•483 = Too Many Hops

•484 = Address Incomplete

•485 = Ambiguous

•486 - Busy Here

5xx Server Failure

•500 = Internal Server Error

•501 = Not Implemented

•502 = Bad Gateway

•503 = Service Unavailable

•504 = Gateway Timeout

•505 = SIP Version Not Supported

6xx Global Failure

•600 = Busy Anywhere

•603 = Decline

•604 = Does Not Exist Anywhere

•606 = Not Acceptable

200 OK

Signifies the end of the call creation phase. The packet is checked for validity against the call database, and the contact information of the server is taken from it. Temporary call-flow-based openings in the firewall are created for allowing the BYE message, which can be initiated from the inside or outside.

200 OK for BYE

Signifies the graceful termination of the call and is in response to the BYE message. The same action as the CANCEL message is taken.

ACK

Signifies that the message is passed after checking for validity.

BYE

Signifies the intent to terminate the call. The database state is updated and temporary openings in the firewall are created for response to the BYE message.

CANCEL

Signifies abnormal data termination. The signaling sessions, media sessions, pregenerated temporary openings in the firewall, and the call database entry for the call are removed.

INVITE

Occurs typically at the start of the call. The firewall will create a database entry upon receipt of this method and fill the database with relevant information extracted from this message. Temporary openings in the firewall will allow for a series of responses to the INVITE request. The temporary openings will be call-flow sensitive and will allow for responses for a fixed amount of time (t = 30 secs).

NO MATCH

Signifies a signaling message that is not present in the database.

Other Methods

Signifies that the message is passed if the call ID is present in the call database.

REGISTER

Results in the creation of an entry in the call database. Time-based, flow-control ACL firewall openings will allow for the response to the REGISTER and subsequent INVITE messages.

SESSION PROGRESS

Contains a response to the INVITE message, and it is a packet during the call creation phase. The packet is checked against the call database for validity of call ID and the media ports; the server proxy information is gathered from the packet. Media channels should be created in this phase.

call_int_over

Checks to see whether or not call initialization is over, and if so, checks to see of the call is in the teardown phase

C con ip & C con port

Signifies the IP address and port in the contact field of the initiator; for example, "Contact:<sip:1111@172.16.0.3:5060;user=phone>"

C media ip & C media port

Signifies the IP address in the media field of the initiator; for example, "c=IN IP4 172.16.0.3"

C media port

Signifies the port in the media field of the initiator; for example, "m=audio 20758 RTP/AVP 0"

C src ip & C src port

Signifies the actual IP address and port of the initiator

C via ip & C via port

Signifies the IP address and port in the via field of the initiator (the first via line); for example, "Via: SIP/2.0/UDP 172.16.0.3:5060"

current sip state

Is the current state of the call (which helps to avoid retransmission)

from/to/callid

Is extracted from the "INVITE" SIP request message to identify the call

media header

Keeps the list of media sessions for the call

media opened

Signifies multiple messages that may have media information, so you need to check to see whether or not the media has been opened for the call

prev sip state

Signifies the previous state of the call (which helps to avoid retransmission)

S con ip & S con port

Signifies the IP address and port in the contact field for the responder

S media ip

Signifies the IP address in the media field for the responder

S media port

Signifies the port in the media field for the responder

S src ip & S src port

Signifies the actual IP address and port of the responder

S via ip & S via port

Signifies the IP address and port in the via field for the responder

signal header

Keeps the list of signaling sessions for the call

sip_proxy_traversed

Makes the firewall topologically aware of whether the call has traversed through proxies

Step 1 

enable

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Router# configure terminal

Enters global configuration mode.

Step 3 

ip inspect name inspection-name sip [alert {on | off}] [audit-trail {on |off}] [timeout seconds]

Router(config)# ip inspect name voip sip

Turns on inspection for SIP.

•alert—Alert messages are generated. This function is on by default.

•audit-trail—Audit trail messages are generated. This function is off by default.

•timeout—Overrides the global channel inactivity timeout value.

Step 4 

interface type number

Router(config)# interface FastEthernet 0/0

Configures an interface type and enters interface configuration mode.

Step 5 

ip inspect inspection-name {in | out}

Router(config-if)# ip inspect voip in

Applies inspection configurations to an interface and for a particular traffic direction.

Step 6 

If SIP calls are coming from other interfaces, repeat Steps 3 through 5 and apply SIP inspections for the calls that are coming from those interfaces.

Note The inspection of protocols other than SIP may not be desirable for traffic that comes from external networks, so it may be necessary to configure an additional inspection rule specifying only SIP.

Step 1 

enable

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2 

show ip inspect name inspection-name

Router# show ip inspect name voip 

(Optional) Displays the configured inspection rule.

Step 3 

show ip inspect session [detail]

Router# show ip inspect session

(Optional) Displays existing sessions that are currently being tracked and inspected by the Cisco IOS firewall.

•The optional detail keyword causes additional details about these sessions to be shown.

Step 4 

show ip access-list

Router# show ip access-list 

(Optional) Displays the contents of all current IP access lists.

Step 1 

enable

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2 

debug ip inspect sip

Router# debug ip inspect sip

(Optional) Displays the operations of the SIP inspection engine for debugging purposes.

Cisco IOS firewall information and configuration tasks

"Configuring Context-Based Access Control"

Cisco IOS firewall commands

Cisco IOS Security Command Reference

None

—

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFC 2543

SIP: Session Initiation Protocol

¹ Not all supported RFCs are listed.

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Firewall SIP Support

12.2(11)YU
12.2(15)T

The Firewall Support for SIP feature integrates Cisco IOS firewalls, Voice over IP (VoIP) protocol, and Session Initiation Protocol (SIP) within a Cisco IOS-based platform, enabling better network convergence.

The following commands were introduced or modified: debug ip inspect, ip inspect name.