- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Restrictions for SIP ALG Hardening for NAT and Firewall
- Information About SIP ALG Hardening for NAT and Firewall
- How to Configure SIP ALG Hardening for NAT and Firewall
- Configuration Examples for SIP ALG Hardening for NAT and Firewall
- Additional References for SIP ALG Hardening for NAT and Firewall
- Feature Information for SIP ALG Hardening for NAT and Firewall
SIP ALG Hardening for NAT and Firewall
The SIP ALG Hardening for NAT and Firewall feature provides better memory management and RFC compliance over the existing Session Initiation Protocol (SIP) application-level gateway (ALG) support for Network Address Translation (NAT) and firewall. This feature provides the following enhancements:
Management of the local database for all SIP Layer 7 data
Processing of the Via header
Support for logging additional SIP methods
Support for Provisional Response Acknowledgment (PRACK) call flow
Support for the Record-Route header
The above enhancements are available by default; no additional configuration is required on NAT or firewall.
This module explains the SIP ALG enhancements and describes how to enable NAT and firewall support for SIP.
- Finding Feature Information
- Restrictions for SIP ALG Hardening for NAT and Firewall
- Information About SIP ALG Hardening for NAT and Firewall
- How to Configure SIP ALG Hardening for NAT and Firewall
- Configuration Examples for SIP ALG Hardening for NAT and Firewall
- Additional References for SIP ALG Hardening for NAT and Firewall
- Feature Information for SIP ALG Hardening for NAT and Firewall
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for SIP ALG Hardening for NAT and Firewall
Information About SIP ALG Hardening for NAT and Firewall
SIP Overview
Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP is based on an HTTP-like request/response transaction model. Each transaction consists of a request that invokes a particular method or function on the server and at least one response.
SIP invitations that are used to create sessions carry session descriptions that allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to users' current locations, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users. SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols.
Application-Level Gateways
-
Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
-
Recognize application-specific commands and offer granular security control over them.
-
Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
-
Translate the network-layer address information that is available in the application payload.
The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.
SIP ALG Local Database Management
A Session Initiation Protocol (SIP) trunk is a direct connection of an IP PBX to a service provider over an IP network using SIP. There can be numerous concurrent calls in a SIP trunk. During the call setup process, all calls use the same control channel for call establishment. More than one call uses the same control channel for call setup. When the same control channel is used by more than one call, the stateful information stored in the control-channel sessions becomes unreliable. SIP stateful information consists of media channel information such as the IP address and port number used by client and server endpoints to send media data. The media channel information is used to create a firewall pinhole and a Network Address Translation (NAT) door for the data channel in firewall and NAT, respectively. Because multiple calls use the same control channel for call setup, there will be multiple sets of media data.
In a SIP trunk, more than one call shares the same firewall and NAT session. NAT and firewall identify and manage a SIP session by using the 5 tuple in a SIP packet—source address, destination address, source port, destination port, and protocol. The conventional method of using the 5 tuple to identify and match calls does not completely support SIP trunking and often leads to Layer 7 data memory leaks and call matching issues.
In contrast to other application-level gateways (ALGs), SIP ALG manages the SIP Layer 7 data by using a local database to store all media-related information contained in normal SIP calls and in SIP calls embedded in a SIP trunk. SIP ALG uses the Call-ID header field contained in a SIP message to search the local database for call matching and to manage and terminate calls. The Call-ID header field is a dialog identifier that identifies messages belonging to the same SIP dialog.
SIP ALG uses the call ID to perform search in the local database and to manage memory resources. In certain scenarios where SIP ALG is unable to free up a Layer 7 data record from the database, a session timer is used to manage and free resources to ensure that there are no stalled call records in the database.
Note | Because all Layer 7 data is managed by SIP ALG by using a local database, SIP ALG never replies on firewall and NAT to free SIP Layer 7 data; SIP ALG frees the data by itself. If you use the clear command to clear all NAT translations and firewall sessions, the SIP Layer 7 data in the local database is not freed. |
SIP ALG Via Header Support
A Session Initiation Protocol (SIP) INVITE request contains a Via header field. The Via header field indicates the transport paths taken by a SIP request. The Via header also contains information about the return path for subsequent SIP responses, which includes the IP address and the port to which the response message is to be sent.
SIP ALG creates a firewall pinhole or a Network Address Translation (NAT) door based on the first value in the Via header field for each SIP request received, except the acknowledge (ACK) message. If the port number information is missing from the first Via header, the port number is assumed to be 5060.
SIP ALG Method Logging Support
The SIP ALG Hardening for NAT and Firewall feature provides support for detailed logging of the following methods in Session Initiation Protocol (SIP) application-level gateway (ALG) statistics:
The existing SIP methods that are logged in SIP ALG statistics include ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, REFER, REGISTER, SUBSCRIBE, and 1XX-6XX.
SIP ALG PRACK Call-Flow Support
Session Initiation Protocol (SIP) defines two types of responses: final and provisional. Final responses convey the result of processing a request and are sent reliably. Provisional responses, on the other hand, provide information about the progress of processing a request but are not sent reliably.
Provisional Response Acknowledgement (PRACK) is a SIP method that provides an acknowledgment (ACK) system for provisional responses. PRACK allows reliable exchanges of SIP provisional responses between SIP endpoints. SIP reliable provisional responses ensure that media information is exchanged and resource reservation can occur before connecting the call.
SIP uses the connection, media, and attribute fields of the Session Description Protocol (SDP) during connection negotiation. SIP application-level gateway (ALG) supports SDP information within a PRACK message. If media information exists in a PRACK message, SIP ALG retrieves and processes the media information. SIP ALG also handles the creation of media channels for subsequent media streams. SIP ALG creates a firewall pinhole and a NAT door based on the SDP information in PRACK messages.
SIP ALG Record-Route Header Support
The Record-Route header field is added by a Session Initiation Protocol (SIP) proxy to a SIP request to force future requests in a SIP dialog to be routed through the proxy. Messages sent within a dialog then traverse all SIP proxies, which add a Record-Route header field to the SIP request. The Record-Route header field contains a globally reachable Uniform Resource Identifier (URI) that identifies the proxy.
SIP application-level gateway (ALG) parses the Contact header and uses the IP address and the port value in the Contact header to create a firewall pinhole and a Network Address Translation (NAT) door. In addition, SIP ALG supports the parsing of the Record-Route header to create a firewall pinhole and a NAT door for future messages that are routed through proxies.
With the parsing of the Record-Route header, SIP ALG supports the following scenarios:
A Cisco ASR 1000 Aggregation Services Router is deployed between two proxies.
A Cisco ASR 1000 Aggregation Services Router is deployed between a User Agent Client (UAC) and a proxy.
A Cisco ASR 1000 Aggregation Services Router is deployed between a proxy and a User Agent Server (UAS).
No proxy exists between the client and the server. No record routing occurs in this scenario.
How to Configure SIP ALG Hardening for NAT and Firewall
Enabling NAT for SIP Support
NAT support for SIP is enabled by default on port 5060. If this feature has been disabled, perform this task to re-enable NAT support for SIP. To disable the NAT support for SIP, use the no ip nat service sip command.
1.
enable
2.
configure terminal
3.
ip nat service sip {tcp |
udp}
port
port-number
4.
end
DETAILED STEPS
Enabling SIP Inspection
1.
enable
2.
configure
terminal
3.
class-map
type
inspect
match-any
class-map-name
4.
match
protocol
protocol-name
5.
exit
6.
policy-map
type
inspect
policy-map-name
7.
class
type
inspect
class-map-name
8.
inspect
9.
exit
10.
class
class-default
11.
end
DETAILED STEPS
Configuring a Zone Pair and Attaching a SIP Policy Map
1.
enable
2.
configure
terminal
3.
zone
security
{zone-name |
default}
4.
exit
5.
zone
security
{zone-name |
default}
6.
exit
7.
zone-pair
security
zone-pair-name
[source {source-zone-name |
self |
default}
destination [destination-zone-name |
self |
default]]
8.
service-policy
type
inspect
policy-map-name
9.
exit
10.
interface
type
number
11.
zone-member
security
zone-name
12.
exit
13.
interface
type
number
14.
zone-member
security
zone-name
15.
end
DETAILED STEPS
Configuration Examples for SIP ALG Hardening for NAT and Firewall
Example: Enabling NAT for SIP Support
Device> enable Device# configure terminal Device(config)# ip nat service sip tcp port 5060 Device(config)# end
Example: Enabling SIP Inspection
class-map type inspect match-any sip-class1 match protocol sip ! policy-map type inspect sip-policy class type inspect sip-class1 inspect ! class class-default
Example: Configuring a Zone Pair and Attaching a SIP Policy Map
zone security zone1 ! zone security zone2 ! zone-pair security in-out source zone1 destination zone2 service-policy type inspect sip-policy ! interface gigabitethernet 0/0/0 zone security zone1 ! interface gigabitethernet 0/1/1 zone security zone2
Additional References for SIP ALG Hardening for NAT and Firewall
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
NAT configuration |
IP Addressing: NAT Configuration Guide |
Firewall configuration |
Security Configuration Guide: Zone-Based Policy Firewall |
NAT commands |
|
Firewall commands |
|
NAT and firewall ALG support |
NAT and Firewall ALG and AIC Support on Cisco ASR 1000 Series Aggregation Services Routers matrix |
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFC 3261 |
SIP: Session Initiation Protocol |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for SIP ALG Hardening for NAT and Firewall
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
SIP ALG Hardening for NAT and Firewall |
Cisco IOS XE Release 3.8S |
The SIP ALG Hardening for NAT and Firewall feature provides better memory management and RFC compliance over the existing SIP ALG support for NAT and firewall. |