Cisco Systems ASA 5555-X Network Router User Manual


  Open as PDF
of 712
 
11-23
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Configuring Inspection for Voice and Video Protocols
SIP Inspection
b. To enable or disable instant messaging, enter the following command:
ciscoasa(config-pmap-p)# im
c. To enable or disable IP address privacy, enter the following command:
ciscoasa(config-pmap-p)# ip-address-privacy
d. To enable check on Max-forwards header field being 0 (which cannot be 0 before reaching the
destination), enter the following command:
ciscoasa(config-pmap-p)# max-forwards-validation action {drop | drop-connection |
reset | log} [log]
e. To enable check on RTP packets flowing on the pinholes for protocol conformance, enter the
following command:
ciscoasa(config-pmap-p)# rtp-conformance [enforce-payloadtype]
Where the enforce-payloadtype keyword enforces the payload type to be audio or video based on
the signaling exchange.
f. To identify the Server and User-Agent header fields, which expose the software version of either a
server or an endpoint, enter the following command:
ciscoasa(config-pmap-p)# software-version action {mask | log} [log]
Where the mask keyword masks the software version in the SIP messages.
g. To enable state checking validation, enter the following command:
ciscoasa(config-pmap-p)# state-checking action {drop | drop-connection | reset | log}
[log]
h. To enable strict verification of the header fields in the SIP messages according to RFC 3261, enter
the following command:
ciscoasa(config-pmap-p)# strict-header-validation action {drop | drop-connection |
reset | log} [log]
i. To allow non SIP traffic using the well-known SIP signaling port, enter the following command:
ciscoasa(config-pmap-p)# traffic-non-sip
j. To identify the non-SIP URIs present in the Alert-Info and Call-Info header fields, enter the
following command:
ciscoasa(config-pmap-p)# uri-non-sip action {mask | log} [log]
The following example shows how to disable instant messaging over SIP:
ciscoasa(config)# policy-map type inspect sip mymap
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# no im
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect sip mymap
ciscoasa(config)# service-policy global_policy global
 previous next