The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The SIP ALG Hardening for NAT and Firewall feature provides better memory management and RFC compliance over the existing Session Initiation Protocol (SIP) application-level gateway (ALG) support for Network Address Translation (NAT) and firewall. This feature provides the following enhancements:
Management of the local database for all SIP Layer 7 data
Processing of the Via header
Support for logging additional SIP methods
Support for Provisional Response Acknowledgment (PRACK) call flow
Support for the Record-Route header
The above enhancements are available by default; no additional configuration is required on NAT or firewall.
This module explains the SIP ALG enhancements and describes how to enable NAT and firewall support for SIP.
Session Initiation Protocol (SIP) application-level gateway (ALG) does not provide any security features.
SIP ALG manages the local database based on call IDs. There might be a corner case involving two calls coming from two different clients with the same call ID, resulting in call ID duplication.
Information About SIP ALG Hardening for NAT and Firewall
Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP is based on an HTTP-like request/response transaction model. Each transaction consists of a request that invokes a particular method or function on the server and at least one response.
SIP invitations that are used to create sessions carry session descriptions that allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to users' current locations, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users. SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols.
Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
Recognize application-specific commands and offer granular security control over them.
Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
Translate the network-layer address information that is available in the application payload.
The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.
A Session Initiation Protocol (SIP) trunk is a direct connection of an IP PBX to a service provider over an IP network using SIP. There can be numerous concurrent calls in a SIP trunk. During the call setup process, all calls use the same control channel for call establishment. More than one call uses the same control channel for call setup. When the same control channel is used by more than one call, the stateful information stored in the control-channel sessions becomes unreliable. SIP stateful information consists of media channel information such as the IP address and port number used by client and server endpoints to send media data. The media channel information is used to create a firewall pinhole and a Network Address Translation (NAT) door for the data channel in firewall and NAT, respectively. Because multiple calls use the same control channel for call setup, there will be multiple sets of media data.
In a SIP trunk, more than one call shares the same firewall and NAT session. NAT and firewall identify and manage a SIP session by using the 5 tuple in a SIP packet—source address, destination address, source port, destination port, and protocol. The conventional method of using the 5 tuple to identify and match calls does not completely support SIP trunking and often leads to Layer 7 data memory leaks and call matching issues.
In contrast to other application-level gateways (ALGs), SIP ALG manages the SIP Layer 7 data by using a local database to store all media-related information contained in normal SIP calls and in SIP calls embedded in a SIP trunk. SIP ALG uses the Call-ID header field contained in a SIP message to search the local database for call matching and to manage and terminate calls. The Call-ID header field is a dialog identifier that identifies messages belonging to the same SIP dialog.
SIP ALG uses the call ID to perform search in the local database and to manage memory resources. In certain scenarios where SIP ALG is unable to free up a Layer 7 data record from the database, a session timer is used to manage and free resources to ensure that there are no stalled call records in the database.
 Note |
Because all Layer 7 data is managed by SIP ALG by using a local database, SIP ALG never replies on firewall and NAT to free SIP Layer 7 data; SIP ALG frees the data by itself. If you use the clear command to clear all NAT translations and firewall sessions, the SIP Layer 7 data in the local database is not freed. |
A Session Initiation Protocol (SIP) INVITE request contains a Via header field. The Via header field indicates the transport paths taken by a SIP request. The Via header also contains information about the return path for subsequent SIP responses, which includes the IP address and the port to which the response message is to be sent.
SIP ALG creates a firewall pinhole or a Network Address Translation (NAT) door based on the first value in the Via header field for each SIP request received, except the acknowledge (ACK) message. If the port number information is missing from the first Via header, the port number is assumed to be 5060.
The SIP ALG Hardening for NAT and Firewall feature provides support for detailed logging of the following methods in Session Initiation Protocol (SIP) application-level gateway (ALG) statistics:
PUBLISH
OPTIONS
1XX (excluding 100,180,183)
2XX (excluding 200)
The existing SIP methods that are logged in SIP ALG statistics include ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, REFER, REGISTER, SUBSCRIBE, and 1XX-6XX.
Session Initiation Protocol (SIP) defines two types of responses: final and provisional. Final responses convey the result of processing a request and are sent reliably. Provisional responses, on the other hand, provide information about the progress of processing a request but are not sent reliably.
Provisional Response Acknowledgement (PRACK) is a SIP method that provides an acknowledgment (ACK) system for provisional responses. PRACK allows reliable exchanges of SIP provisional responses between SIP endpoints. SIP reliable provisional responses ensure that media information is exchanged and resource reservation can occur before connecting the call.
SIP uses the connection, media, and attribute fields of the Session Description Protocol (SDP) during connection negotiation. SIP application-level gateway (ALG) supports SDP information within a PRACK message. If media information exists in a PRACK message, SIP ALG retrieves and processes the media information. SIP ALG also handles the creation of media channels for subsequent media streams. SIP ALG creates a firewall pinhole and a NAT door based on the SDP information in PRACK messages.
The Record-Route header field is added by a Session Initiation Protocol (SIP) proxy to a SIP request to force future requests in a SIP dialog to be routed through the proxy. Messages sent within a dialog then traverse all SIP proxies, which add a Record-Route header field to the SIP request. The Record-Route header field contains a globally reachable Uniform Resource Identifier (URI) that identifies the proxy.
SIP application-level gateway (ALG) parses the Contact header and uses the IP address and the port value in the Contact header to create a firewall pinhole and a Network Address Translation (NAT) door. In addition, SIP ALG supports the parsing of the Record-Route header to create a firewall pinhole and a NAT door for future messages that are routed through proxies.
How to Configure SIP ALG Hardening for NAT and Firewall
NAT support for SIP is enabled by default on port 5060. If this feature has been disabled, perform this task to re-enable NAT support for SIP. To disable the NAT support for SIP, use the no ip nat service sip command.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
ip nat service sip {tcp | udp} port port-number Example: |
Enables NAT support for SIP. |
| Step 4 |
end Example: |
Exist global configuration mode and returns to privileged EXEC mode. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
class-map type inspect match-any class-map-name Example: |
Creates an inspect type class map and enters class-map configuration mode. |
| Step 4 |
match protocol protocol-name Example: |
Configures the match criterion for a class map based on the named protocol. |
| Step 5 |
exit Example: |
Exits class-map configuration mode. |
| Step 6 |
policy-map type inspect policy-map-name Example: |
Creates an inspect type policy map and enters policy-map configuration mode. |
| Step 7 |
class type inspect class-map-name Example: |
Specifies the class on which the action is performed and enters policy-map class configuration mode. |
| Step 8 |
inspect Example: |
Enables stateful packet inspection. |
| Step 9 |
exit Example: |
Exits policy-map class configuration mode and returns to policy-map configuration mode. |
| Step 10 |
class class-default Example: |
Specifies that these policy map settings apply to the predefined default class.
|
| Step 11 |
end Example: |
Exits policy-map configuration mode and returns to privileged EXEC mode. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
| Step 3 |
zone security {zone-name | default } Example: |
Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. |
||
| Step 4 |
exit Example: |
Exits security zone configuration mode and returns to global configuration mode. |
||
| Step 5 |
zone security {zone-name | default } Example: |
Creates a security zone to which interfaces can be assigned and enters security zone configuration mode. |
||
| Step 6 |
exit Example: |
Exits security zone configuration mode and returns to global configuration mode. |
||
| Step 7 |
zone-pair security zone-pair-name [source {source-zone-name | self | default } destination [destination-zone-name | self | default ]] Example: |
Creates a zone pair and returns to security zone-pair configuration mode.
|
||
| Step 8 |
service-policy type inspect policy-map-name Example: |
Attaches a firewall policy map to the destination zone pair.
|
||
| Step 9 |
exit Example: |
Exits security zone-pair configuration mode and returns to global configuration mode. |
||
| Step 10 |
interface type number Example: |
Configures an interface and enters interface configuration mode. |
||
| Step 11 |
zone-member security zone-name Example: |
Assigns an interface to a specified security zone.
|
||
| Step 12 |
exit Example: |
Exits interface configuration mode and returns to global configuration mode. |
||
| Step 13 |
interface type number Example: |
Configures an interface and enters interface configuration mode. |
||
| Step 14 |
zone-member security zone-name Example: |
Assigns an interface to a specified security zone. |
||
| Step 15 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
Configuration Examples for SIP ALG Hardening for NAT and Firewall
Device> enable
Device# configure terminal
Device(config)# ip nat service sip tcp port 5060
Device(config)# endclass-map type inspect match-any sip-class1
match protocol sip
!
policy-map type inspect sip-policy
class type inspect sip-class1
inspect
!
class class-defaultzone security zone1
!
zone security zone2
!
zone-pair security in-out source zone1 destination zone2
service-policy type inspect sip-policy
!
interface gigabitethernet 0/0/0
zone security zone1
!
interface gigabitethernet 0/1/1
zone security zone2 |
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
NAT configuration |
IP Addressing: NAT Configuration Guide |
|
Firewall configuration |
Security Configuration Guide: Zone-Based Policy Firewall |
|
NAT commands |
|
|
Firewall commands |
|
|
Standard/RFC |
Title |
|---|---|
|
RFC 3261 |
SIP: Session Initiation Protocol |
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
SIP ALG Hardening for NAT and Firewall |
Cisco IOS XE Release 3.8S |
The SIP ALG Hardening for NAT and Firewall feature provides better memory management and RFC compliance over the existing SIP ALG support for NAT and firewall. |
Feedback