- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Prerequisites for Cisco Firewall-SIP Enhancements ALG
- Restrictions for Cisco Firewall-SIP Enhancements ALG
- Information About Cisco Firewall-SIP Enhancements ALG
- How to Configure Cisco Firewall-SIP Enhancements ALG
- Configuration Examples for Cisco Firewall-SIP Enhancements ALG
- Additional References for Cisco Firewall-SIP Enhancements ALG
- Feature Information for Cisco Firewall-SIP Enhancements ALG
Cisco Firewall-SIP Enhancements ALG
The enhanced Session Initiation Protocol (SIP) inspection in the Cisco XE firewall provides basic SIP inspect functionality (SIP packet inspection and pinholes opening) as well as protocol conformance and application security. These enhancements give you control on what policies and security checks to apply to SIP traffic and the capability to filter out unwanted messages or users.
The development of additional SIP functionality in Cisco IOS XE software provides increased support for Cisco Call Manager, Cisco Call Manager Express, and Cisco IP-IP Gateway based voice/video systems. The application-layer gateway (ALG) SIP enhancement also supports RFC 3261 and its extensions.
- Finding Feature Information
- Prerequisites for Cisco Firewall-SIP Enhancements ALG
- Restrictions for Cisco Firewall-SIP Enhancements ALG
- Information About Cisco Firewall-SIP Enhancements ALG
- How to Configure Cisco Firewall-SIP Enhancements ALG
- Configuration Examples for Cisco Firewall-SIP Enhancements ALG
- Additional References for Cisco Firewall-SIP Enhancements ALG
- Feature Information for Cisco Firewall-SIP Enhancements ALG
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Cisco Firewall-SIP Enhancements ALG
Your system must be running Cisco IOS XE Release 2.4 or a later release.
Restrictions for Cisco Firewall-SIP Enhancements ALG
DNS Name Resolution
Although SIP methods can have Domain Name System (DNS) names instead of raw IP addresses, this feature currently does not support DNS names.
Cisco ASR 1000 Series Routers
This feature was implemented without support for application inspection and control (AIC) on the Cisco ASR 1000 series routers. The Cisco IOS XE Release 2.4 supports the following commands only: class-map type inspect, class type inspect, match protocol, and policy-map type inspect.
Information About Cisco Firewall-SIP Enhancements ALG
SIP Overview
Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP is based on an HTTP-like request/response transaction model. Each transaction consists of a request that invokes a particular method or function on the server and at least one response.
SIP invitations that are used to create sessions carry session descriptions that allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to users' current locations, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users. SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols.
Firewall for SIP Functionality Description
The firewall for SIP support feature allows SIP signaling requests to traverse directly between gateways or through a series of proxies to the destination gateway or phone. After the initial request, if the Record-Route header field is not used, subsequent requests can traverse directly to the destination gateway address as specified in the Contact header field. Thus, the firewall is aware of all surrounding proxies and gateways and allows the following functionalities:
SIP signaling responses can travel the same path as SIP signaling requests.
Subsequent signaling requests can travel directly to the endpoint (destination gateway).
Media endpoints can exchange data between each other.
SIP UDP and TCP Support
RFC 3261 is the current RFC for SIP, which replaces RFC 2543. This feature supports the SIP UDP and the TCP format for signaling.
SIP Inspection
This section describes the deployment scenarios supported by the Cisco Firewall--SIP ALG Enhancements feature.
Cisco IOS XE Firewall Between SIP Phones and CCM
The Cisco IOS XE firewall is located between Cisco Call Manager or Cisco Call Manager Express and SIP phones. SIP phones are registered to Cisco Call Manager or Cisco Call Manager Express through the firewall, and any SIP calls from or to the SIP phones pass through the firewall.
Cisco IOS XE Firewall Between SIP Gateways
The Cisco IOS XE firewall is located between two SIP gateways, which can be Cisco Call Manager, Cisco Call Manager Express, or a SIP proxy. Phones are registered with SIP gateways directly. The firewall sees the SIP session or traffic only when there is a SIP call between phones registered to different SIP gateways. In some scenarios an IP-IP gateway can also be configured on the same device as the firewall. With this scenario all the calls between the SIP gateways are terminated in the IP-IP gateway.
Cisco IOS XE Firewall with Local Cisco Call Manager Express and Remote Cisco Call Manager Express/Cisco Call Manager
The Cisco IOS XE firewall is located between two SIP gateways, which can be Cisco Call Manager, Cisco Call Manager Express, or a SIP proxy. One of the gateways is configured on the same device as the firewall. All the phones registered to this gateway are locally inspected by the firewall. The firewall also inspects SIP sessions between the two gateways when there is a SIP call between them. With this scenario the firewall locally inspects SIP phones on one side and SIP gateways on the other side.
Cisco IOS XE Firewall with Local Cisco Call Manager Express
The Cisco IOS XE firewall and Cisco Call Manager Express is configured on the same device. All the phones registered to the Cisco Call Manager Express are locally inspected by the firewall. Any SIP call between any of the phones registered will also be inspected by the Cisco IOS XE firewall.
ALG--SIP Over TCP Enhancement
When SIP is transferred over UDP, every SIP message is carried in one single UDP datagram. However, when SIP is transferred over TCP, one TCP segment may contain multiple SIP messages. And it is possible that the last SIP message in one of the TCP segments may be a partial one. Prior to Cisco IOS XE Release 3.5S, when there are multiple SIP messages in one received TCP segment, the SIP ALG parses only the first message. The data that is not parsed is regarded as one incomplete SIP message and returned to vTCP. When the next TCP segment is received, vTCP prefixes the unprocessed data to that segment to pass them to the SIP ALG and causes more and more data have to be buffered in vTCP.
In Cisco IOS XE Release 3.5S, the ALG--SIP over TCP Enhancement feature lets the SIP ALG to handle multiple SIP messages in one TCP segment. When a TCP segment is received, all complete SIP messages inside this segment are parsed one-by-one. If there is an incomplete message in the end, only that portion is returned to vTCP.
How to Configure Cisco Firewall-SIP Enhancements ALG
Enabling SIP Inspection
1.
enable
2.
configure
terminal
3.
class-map
type
inspect
match-any
class-map-name
4.
match
protocol
protocol-name
5.
exit
6.
policy-map
type
inspect
policy-map-name
7.
class
type
inspect
class-map-name
8.
inspect
9.
exit
10.
class
class-default
11.
end
DETAILED STEPS
Troubleshooting Tips
The following commands can be used to troubleshoot your SIP-enabled firewall configuration:
Configuring a Zone Pair and Attaching a SIP Policy Map
1.
enable
2.
configure
terminal
3.
zone
security
{zone-name |
default}
4.
exit
5.
zone
security
{zone-name |
default}
6.
exit
7.
zone-pair
security
zone-pair-name
[source {source-zone-name |
self |
default}
destination [destination-zone-name |
self |
default]]
8.
service-policy
type
inspect
policy-map-name
9.
exit
10.
interface
type
number
11.
zone-member
security
zone-name
12.
exit
13.
interface
type
number
14.
zone-member
security
zone-name
15.
end
DETAILED STEPS
Configuration Examples for Cisco Firewall-SIP Enhancements ALG
Example: Enabling SIP Inspection
class-map type inspect match-any sip-class1 match protocol sip ! policy-map type inspect sip-policy class type inspect sip-class1 inspect ! class class-default
Example: Configuring a Zone Pair and Attaching a SIP Policy Map
zone security zone1 ! zone security zone2 ! zone-pair security in-out source zone1 destination zone2 service-policy type inspect sip-policy ! interface gigabitethernet 0/0/0 zone security zone1 ! interface gigabitethernet 0/1/1 zone security zone2
Additional References for Cisco Firewall-SIP Enhancements ALG
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Firewall commands |
|
Additional SIP Information |
|
vTCP support |
vTCP for ALG Support |
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFC 3261 |
SIP: Session Initiation Protocol |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Cisco Firewall-SIP Enhancements ALG
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
AGL--SIP Over TCP Enhancement |
Cisco IOS XE Release 3.5S |
The ALG--SIP over TCP Enhancement feature lets the SIP ALG to handle multiple SIP messages in one TCP segment. When a TCP segment is received, all complete SIP messages inside this segment are parsed one-by-one. If there is an incomplete message in the end, only that portion is returned to vTCP. |
Cisco Firewall--SIP ALG Enhancements |
Cisco IOS XE Release 2.4 |
The Cisco Firewall--SIP ALG Enhancements feature provides voice security enhancements within the firewall feature set in Cisco IOS XE software on the Cisco ASR 1000 series routers. The following commands were implemented without support for Layer 7 (application-specific) syntax, on the Cisco ASR 1000 series routers:class type inspect, class-map type inspect, match protocol, policy-map type inspect. |
Firewall--SIP ALG Enhancement for T.38 Fax Relay |
Cisco IOS XE Release 2.4.1 |
The Firewall--SIP ALG Enhancement for T.38 Fax Relay feature provides an enhancement within the Firewall feature set in Cisco IOS XE software on the Cisco ASR 1000 series routers. The feature enables SIP ALG to support T.38 Fax Relay over IP, passing through the firewall on the Cisco ASR 1000 series routers. |