Cisco Firewall-SIP Enhancements ALG

Last Updated: January 20, 2012

The enhanced Session Initiation Protocol (SIP) inspection in the Cisco XE firewall provides basic SIP inspect functionality (SIP packet inspection and pinholes opening) as well as protocol conformance and application security. These enhancements give you control on what policies and security checks to apply to SIP traffic and the capability to filter out unwanted messages or users.

The development of additional SIP functionality in Cisco IOS XE software provides increased support for Cisco Call Manager, Cisco Call Manager Express, and Cisco IP-IP Gateway based voice/video systems. The application-layer gateway (ALG) SIP enhancement also supports RFC 3261 and its extensions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Cisco Firewall-SIP Enhancements ALG

Your system must be running Cisco IOS XE Release 2.4 or a later release.

Restrictions for Cisco Firewall-SIP Enhancements ALG

DNS Name Resolution

Although SIP methods can have Domain Name System (DNS) names instead of raw IP addresses, this feature currently does not support DNS names.

Cisco ASR 1000 Series Routers

This feature was implemented without support for application inspection and control (AIC) on the Cisco ASR 1000 series routers. The Cisco IOS XE Release 2.4 supports the following commands only: class-map type inspect, class type inspect, match protocol, and policy-map type inspect.

Information About Cisco Firewall-SIP Enhancements ALG

SIP Overview

SIP is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP is based on an HTTP-like request/response transaction model. Each transaction consists of a request that invokes a particular method or function on the server and at least one response.

SIP invitations that are used to create sessions carry session descriptions that allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to the user's current location, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users. SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols.

Firewall for SIP Functionality Description

The firewall for SIP support feature allows SIP signaling requests to traverse directly between gateways or through a series of proxies to the destination gateway or phone. After the initial request, if the Record-Route header field is not used, subsequent requests can traverse directly to the destination gateway address as specified in the Contact header field. Thus, the firewall is aware of all surrounding proxies and gateways and allows the following functionalities:

  • SIP signaling responses can travel the same path as SIP signaling requests.
  • Subsequent signaling requests can travel directly to the endpoint (destination gateway).
  • Media endpoints can exchange data between each other.

SIP UDP and TCP Support

RFC 3261 is the current RFC for SIP, which replaces RFC 2543. This feature supports the SIP UDP and the TCP format for signaling.

SIP Inspection

This section describes the deployment scenarios supported by the Cisco Firewall--SIP ALG Enhancements feature.

Cisco IOS XE Firewall Between SIP Phones and CCM

The Cisco IOS XE firewall is located between Cisco Call Manager or Cisco Call Manager Express and SIP phones. SIP phones are registered to Cisco Call Manager or Cisco Call Manager Express through the firewall, and any SIP calls from or to the SIP phones pass through the firewall.

Cisco IOS XE Firewall Between SIP Gateways

The Cisco IOS XE firewall is located between two SIP gateways, which can be Cisco Call Manager, Cisco Call Manager Express, or a SIP proxy. Phones are registered with SIP gateways directly. The firewall sees the SIP session or traffic only when there is a SIP call between phones registered to different SIP gateways. In some scenarios an IP-IP gateway can also be configured on the same device as the firewall. With this scenario all the calls between the SIP gateways are terminated in the IP-IP gateway.

Cisco IOS XE Firewall with Local Cisco Call Manager Express and Remote Cisco Call Manager Express/Cisco Call Manager

The Cisco IOS XE firewall is located between two SIP gateways, which can be Cisco Call Manager, Cisco Call Manager Express, or a SIP proxy. One of the gateways is configured on the same device as the firewall. All the phones registered to this gateway are locally inspected by the firewall. The firewall also inspects SIP sessions between the two gateways when there is a SIP call between them. With this scenario the firewall locally inspects SIP phones on one side and SIP gateways on the other side.

Cisco IOS XE Firewall with Local Cisco Call Manager Express

The Cisco IOS XE firewall and Cisco Call Manager Express is configured on the same device. All the phones registered to the Cisco Call Manager Express are locally inspected by the firewall. Any SIP call between any of the phones registered will also be inspected by the Cisco IOS XE firewall.

ALG--SIP Over TCP Enhancement

When SIP is transferred over UDP, every SIP message is carried in one single UDP datagram. However, when SIP is transferred over TCP, one TCP segment may contain multiple SIP messages. And it is possible that the last SIP message in one of the TCP segments may be a partial one. Prior to Cisco IOS XE Release 3.5S, when there are multiple SIP messages in one received TCP segment, the SIP ALG parses only the first message. The data that is not parsed is regarded as one incomplete SIP message and returned to vTCP. When the next TCP segment is received, vTCP prefixes the unprocessed data to that segment to pass them to the SIP ALG and causes more and more data have to be buffered in vTCP.

In Cisco IOS XE Release 3.5S, the ALG--SIP over TCP Enhancement feature lets the SIP ALG to handle multiple SIP messages in one TCP segment. When a TCP segment is received, all complete SIP messages inside this segment are parsed one-by-one. If there is an incomplete message in the end, only that portion is returned to vTCP.

How to Configure Cisco Firewall-SIP Enhancements ALG

Enabling SIP Inspection

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    class-map type inspect match-any class-map-name

4.    match protocol protocol-name

5.    match protocol protocol-name

6.    exit

7.    policy-map type inspect policy-map-name

8.    class type inspect class-map-name

9.    inspect

10.    exit

11.    class class-default

12.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
class-map type inspect match-any class-map-name


Example:

Router(config)# class-map type inspect match-any sip-class1

 

Creates an inspect type class map and enters class-map configuration mode.

 
Step 4
match protocol protocol-name


Example:

Router(config-cmap)# match protocol sip

 

Configures the match criterion for a class map based on the named protocol.

 
Step 5
match protocol protocol-name


Example:

Router(config-cmap)# match protocol udp

 

Configures the match criterion for a class map based on the named protocol.

 
Step 6
exit


Example:

Router(config-cmap)# exit

 

Exits class-map configuration mode.

 
Step 7
policy-map type inspect policy-map-name


Example:

Router(config)# policy-map type inspect sip-policy

 

Creates an inspect type policy map and enters policy map configuration mode.

 
Step 8
class type inspect class-map-name


Example:

Router(config-pmap)# class type inspect sip-class1

 

Specifies the class on which the action is performed and enters policy-map class configuration mode.

 
Step 9
inspect


Example:

Router(config-pmap-c)# inspect

 

Enables stateful packet inspection.

 
Step 10
exit


Example:

Router(config-pmap-c)# exit

 

Exits policy-map class configuration mode and enters policy map configuration mode.

 
Step 11
class class-default


Example:

Router(config-pmap)# class class-default

 

Specifies that these policy map settings apply to the predefined default class. If traffic does not match any of the match criteria in the configured class maps, it is directed to the predefined default class.

 
Step 12
end


Example:

Router(config-pmap)# end

 

Exits policy map configuration mode and enters privileged EXEC mode.

 

Troubleshooting Tips

The following commands can be used to troubleshoot your SIP-enabled firewall configuration:

  • clear zone-pair
  • debug cce
  • debug policy-map type inspect
  • show policy-map type inspect zone-pair
  • show zone-pair security

Configuring a Zone Pair and Attaching a SIP Policy Map

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    zone security {zone-name | default}

4.    exit

5.    zone security {zone-name | default}

6.    exit

7.    zone-pair security zone-pair-name [source{source-zone-name | self | default} destination [destination-zone-name | self | default]]

8.    service-policy type inspect policy-map-name

9.    exit

10.    interface type number

11.    zone-member security zone-name

12.    exit

13.    interface type number

14.    zone-member security zone-name

15.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
zone security {zone-name | default}


Example:

Router(config)# zone security zone1

 

Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

 
Step 4
exit


Example:

Router(config-sec-zone)# exit

 

Exits security zone configuration mode and enters global configuration mode.

 
Step 5
zone security {zone-name | default}


Example:

Router(config)# zone security zone2

 

Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

 
Step 6
exit


Example:

Router(config-sec-zone)# exit

 

Exits security zone configuration mode and enters global configuration mode.

 
Step 7
zone-pair security zone-pair-name [source{source-zone-name | self | default} destination [destination-zone-name | self | default]]


Example:

Router(config)# zone-pair security in-out source zone1 destination zone2

 

Creates a zone pair and enters security zone pair configuration mode.

Note    To apply a policy, you must configure a zone pair.
 
Step 8
service-policy type inspect policy-map-name


Example:

Router(config-sec-zone-pair)# service-policy type inspect sip-policy

 

Attaches a firewall policy map to the destination zone pair.

Note    If a policy is not configured between a pair of zones, traffic is dropped by default.
 
Step 9
exit


Example:

Router(config-sec-zone-pair)# exit

 

Exits security zone-pair configuration mode and enters global configuration mode.

 
Step 10
interface type number


Example:

Router(config)# interface gigabitethernet 0/0/0

 

Configures an interface and enters interface configuration mode.

 
Step 11
zone-member security zone-name


Example:

Router(config-if)# zone-member security zone1

 

Assigns an interface to a specified security zone.

Note    When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.
 
Step 12
exit


Example:

Router(config-if)# exit

 

Exits interface configuration mode and enters global configuration mode.

 
Step 13
interface type number


Example:

Router(config)# interface gigabitethernet 0/1/1

 

Configures an interface and enters interface configuration mode.

 
Step 14
zone-member security zone-name


Example:

Router(config-if)# zone-member security zone2

 

Assigns an interface to a specified security zone.

 
Step 15
end


Example:

Router(config-if)# end

 

Exits interface configuration mode and enters privileged EXEC mode.

 

Configuration Examples for Cisco Firewall-SIP Enhancements ALG

Example: Enabling SIP Inspection

class-map type inspect match-any sip-class1
 match protocol sip
 match protocol udp
!
policy-map type inspect sip-policy
	class type inspect sip-class1
		inspect
!
 class class-default

Example: Configuring a Zone-Pair and Attaching a SIP Policy Map

zone security zone1
!
zone security zone2
!
zone-pair security in-out source zone1 destination zone2
 service-policy type inspect sip-policy
!
interface gigabitethernet 0/0/0
 zone security zone1
! 
interface gigabitethernet 0/1/1
 zone security zone2

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Firewall commands

Additional SIP Information

Guide to Cisco Systems VoIP Infrastructure Solution for SIP

vTCP support

vTCP for ALG Support

Standards and RFCs

Standard/RFC

Title

RFC 3261

SIP: Session Initiation Protocol

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Cisco Firewall-SIP Enhancements ALG

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Cisco Firewall-SIP Enhancements: ALG

Feature Name

Releases

Feature Information

AGL--SIP Over TCP Enhancement

Cisco IOS XE Release 3.5S

The ALG--SIP over TCP Enhancement feature lets the SIP ALG to handle multiple SIP messages in one TCP segment. When a TCP segment is received, all complete SIP messages inside this segment are parsed one-by-one. If there is an incomplete message in the end, only that portion is returned to vTCP.

Cisco Firewall--SIP ALG Enhancements

Cisco IOS XE Release 2.4

The Cisco Firewall--SIP ALG Enhancements feature provides voice security enhancements within the firewall feature set in Cisco IOS XE software on the Cisco ASR 1000 series routers.

The following commands were implemented without support for Layer 7 (application-specific) syntax, on the Cisco ASR 1000 series routers:class type inspect, class-map type inspect, match protocol, policy-map type inspect.

Firewall--SIP ALG Enhancement for T.38 Fax Relay

Cisco IOS XE Release 2.4.1

The Firewall--SIP ALG Enhancement for T.38 Fax Relay feature provides an enhancement within the Firewall feature set in Cisco IOS XE software on the Cisco ASR 1000 series routers.

The feature enables SIP ALG to support T.38 Fax Relay over IP, passing through the firewall on the Cisco ASR 1000 series routers.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.