Session Initiation Protocol
Session Initiation Agreement (SIP), authentic in RFC 2543, is addition agreement used
for affair ascendancy in VoIP. It additionally uses SDP, mentioned previously, to describe
each affair actuality established. Anniversary alarm is started with an INVITE message,
which contains some of the affair parameters, including IP addresses/ports for
the abutting connections, which may use added ports. SDP letters again are acclimated to
establish RTP datastreams.The antecedent SIP affair can use UDP or TCP as a
channel.The absence anchorage for this affiliation is 5060. Application analysis of
SIP over UDP is consistently on in the PIX and cannot be reconfigured.To change
the absence anchorage for TCP SIP connections, use the afterward command:
[no] fixup agreement sip [
Application analysis for SIP includes ecology of SIP and SDP messages,
changing the IP addresses of endpoints anchored central these letters (NAT
and PAT), and aperture acting conduits for all adjourned ascendancy connections
and datastreams based on the advice obtained.The PIX maintains an
internal database indexed by addition ID, sources, and destinations of anniversary call.
Included in this database are IP addresses and ports provided central an SDP message.
For example, a SIP bulletin may attending like the afterward (embedded address
negotiation is in italics; these are the best important ones, although it includes
much added IP information):
www.syngress.com
Advanced PIX Configurations • Chapter 4 163
INVITE sip:23198@192.168.2.10:5060 SIP/2.0
Expires: 180
Content-Type: application/sdp
Via: SIP/2.0/UDP 192.168.2.10:5060;branch=1FV1xhfvxGJOK9rWcKdAKOA
Via: SIP/2.0/UDP 10.0.1.134:5060
To:
From: sip:15691@10.0.1.134
Call-ID: c2943000-50405d-6af10a-382e3031@10.0.1.134
CSeq: 100 INVITE
Contact: sip:15691@10.0.1.134:5060
Content-Length: 219
User-Agent: Cisco IP Phone/ Rev. 1/ SIP enabled
Accept: application/sdp
Record-Route:
The SDP bulletin looks like the following:
v=0
o=CiscoSystemsSIP-IPPhone-UserAgent 17045 11864 IN IP4 10.0.1.134
s=SIP Call
c=IN IP4 10.0.1.134
t=0 0
m=audio 29118 RTP/AVP 0 101
a=rtpmap:0 pcmu/8000
a=rtpmap:101 telephone-event/8000
When the affair bureaucracy starts, the SIP affair is advised in a “transient”
state until an RTP anchorage has been adjourned for the datastream. If this does not
happen aural one minute, the affair is discarded. Afterwards the RTP datastream
ports are negotiated, the affair is advised alive and the SIP affiliation will
remain accustomed until the parties absolutely accomplishment the alarm or an inactivity
timeout expires.This abeyance can be configured application the afterward command:
timeout sip
The absence accompaniment of this abeyance is 30 minutes, which is agnate to the following
setting:
PIX1(config)# abeyance sip 0:30:0
www.syngress.com
164 Chapter 4 • Advanced PIX Configurations
RTP media admission are accountable to a absence abeyance of 2 minutes,
although this ambience can be afflicted application this command:
timeout sip_media
You can appearance the cachet of SIP, RTP, and any of the admission accountable to
application analysis by PIX application the command:
show conn state
You can specify the blazon of admission you appetite to appearance (for example, sip,
h323, rpc):
show conn accompaniment sip
NOTE
The PIX firewall supports PAT of SIP letters back adaptation 6.2. NAT
support has been accessible back adaptation 5.3.
One affair that could crave added agreement with SIP occurs back a
phone on a beneath defended interface tries to abode on authority a buzz on a added secure
interface.This activity is performed by the alfresco buzz sending an extra
INVITE bulletin to the central phone. If UDP is acclimated as transport, the PIX will
drop the admission packet afterwards the accepted UDP abeyance has expired.This situation
can be affected either by configuring an admission account on the alfresco interface
that permits packets to anchorage 5060/UDP on the central aperture or by application the
following command:
PIX1(config)# accustomed udp 5060 permitto udp 5060 permitfrom udp 0
This command tells the PIX to acquiesce entering UDP packets to anchorage 5060 on
a applicant if it had approachable advice from UDP anchorage 5060.