IP Addressing: NAT Configuration Guide, Cisco IOS XE Release 3S (ASR 1000)
SIP ALG Hardening for NAT and Firewall
Downloads: This chapterpdf (PDF - 1.36MB) The complete bookPDF (PDF - 5.17MB) | The complete bookePub (ePub - 1.74MB) | Feedback

Contents

SIP ALG Hardening for NAT and Firewall

The SIP ALG Hardening for NAT and Firewall feature provides better memory management and RFC compliance over the existing Session Initiation Protocol (SIP) application-level gateway (ALG) support for Network Address Translation (NAT) and firewall. This feature provides the following enhancements:

  • Management of the local database for all SIP Layer 7 data
  • Processing of the Via header
  • Support for logging additional SIP methods
  • Support for Provisional Response Acknowledgment (PRACK) call flow
  • Support for the Record-Route header

The above enhancements are available by default; no additional configuration is required on NAT or firewall.

This module explains the SIP ALG enhancements and describes how to enable NAT and firewall support for SIP.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for SIP ALG Hardening for NAT and Firewall

  • Session Initiation Protocol (SIP) application-level gateway (ALG) does not provide any security features.
  • SIP ALG manages the local database based on call IDs. There might be a corner case involving two calls coming from two different clients with the same call ID, resulting in call ID duplication.

Information About SIP ALG Hardening for NAT and Firewall

SIP Overview

Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions could include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP is based on an HTTP-like request/response transaction model. Each transaction consists of a request that invokes a particular method or function on the server and at least one response.

SIP invitations that are used to create sessions carry session descriptions that allow participants to agree on a set of compatible media types. SIP makes use of elements called proxy servers to help route requests to users' current locations, authenticate and authorize users for services, implement provider call-routing policies, and provide features to users. SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols.

Application-Level Gateways

An application-level gateway (ALG), also known as an application-layer gateway, is an application that translates the IP address information inside the payload of an application packet. An ALG is used to interpret the application-layer protocol and perform firewall and Network Address Translation (NAT) actions. These actions can be one or more of the following depending on your configuration of the firewall and NAT:
  • Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
  • Recognize application-specific commands and offer granular security control over them.
  • Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
  • Translate the network-layer address information that is available in the application payload.

The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.

SIP ALG Local Database Management

A Session Initiation Protocol (SIP) trunk is a direct connection of an IP PBX to a service provider over an IP network using SIP. There can be numerous concurrent calls in a SIP trunk. During the call setup process, all calls use the same control channel for call establishment. More than one call uses the same control channel for call setup. When the same control channel is used by more than one call, the stateful information stored in the control-channel sessions becomes unreliable. SIP stateful information consists of media channel information such as the IP address and port number used by client and server endpoints to send media data. The media channel information is used to create a firewall pinhole and a Network Address Translation (NAT) door for the data channel in firewall and NAT, respectively. Because multiple calls use the same control channel for call setup, there will be multiple sets of media data.

In a SIP trunk, more than one call shares the same firewall and NAT session. NAT and firewall identify and manage a SIP session by using the 5 tuple in a SIP packet—source address, destination address, source port, destination port, and protocol. The conventional method of using the 5 tuple to identify and match calls does not completely support SIP trunking and often leads to Layer 7 data memory leaks and call matching issues.

In contrast to other application-level gateways (ALGs), SIP ALG manages the SIP Layer 7 data by using a local database to store all media-related information contained in normal SIP calls and in SIP calls embedded in a SIP trunk. SIP ALG uses the Call-ID header field contained in a SIP message to search the local database for call matching and to manage and terminate calls. The Call-ID header field is a dialog identifier that identifies messages belonging to the same SIP dialog.

SIP ALG uses the call ID to perform search in the local database and to manage memory resources. In certain scenarios where SIP ALG is unable to free up a Layer 7 data record from the database, a session timer is used to manage and free resources to ensure that there are no stalled call records in the database.


Note


Because all Layer 7 data is managed by SIP ALG by using a local database, SIP ALG never replies on firewall and NAT to free SIP Layer 7 data; SIP ALG frees the data by itself. If you use the clear command to clear all NAT translations and firewall sessions, the SIP Layer 7 data in the local database is not freed.


SIP ALG Via Header Support

A Session Initiation Protocol (SIP) INVITE request contains a Via header field. The Via header field indicates the transport paths taken by a SIP request. The Via header also contains information about the return path for subsequent SIP responses, which includes the IP address and the port to which the response message is to be sent.

SIP ALG creates a firewall pinhole or a Network Address Translation (NAT) door based on the first value in the Via header field for each SIP request received, except the acknowledge (ACK) message. If the port number information is missing from the first Via header, the port number is assumed to be 5060.

SIP ALG Method Logging Support

The SIP ALG Hardening for NAT and Firewall feature provides support for detailed logging of the following methods in Session Initiation Protocol (SIP) application-level gateway (ALG) statistics:

  • PUBLISH
  • OPTIONS
  • 1XX (excluding 100,180,183)
  • 2XX (excluding 200)

The existing SIP methods that are logged in SIP ALG statistics include ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, REFER, REGISTER, SUBSCRIBE, and 1XX-6XX.

SIP ALG PRACK Call-Flow Support

Session Initiation Protocol (SIP) defines two types of responses: final and provisional. Final responses convey the result of processing a request and are sent reliably. Provisional responses, on the other hand, provide information about the progress of processing a request but are not sent reliably.

Provisional Response Acknowledgement (PRACK) is a SIP method that provides an acknowledgment (ACK) system for provisional responses. PRACK allows reliable exchanges of SIP provisional responses between SIP endpoints. SIP reliable provisional responses ensure that media information is exchanged and resource reservation can occur before connecting the call.

SIP uses the connection, media, and attribute fields of the Session Description Protocol (SDP) during connection negotiation. SIP application-level gateway (ALG) supports SDP information within a PRACK message. If media information exists in a PRACK message, SIP ALG retrieves and processes the media information. SIP ALG also handles the creation of media channels for subsequent media streams. SIP ALG creates a firewall pinhole and a NAT door based on the SDP information in PRACK messages.

SIP ALG Record-Route Header Support

The Record-Route header field is added by a Session Initiation Protocol (SIP) proxy to a SIP request to force future requests in a SIP dialog to be routed through the proxy. Messages sent within a dialog then traverse all SIP proxies, which add a Record-Route header field to the SIP request. The Record-Route header field contains a globally reachable Uniform Resource Identifier (URI) that identifies the proxy.

SIP application-level gateway (ALG) parses the Contact header and uses the IP address and the port value in the Contact header to create a firewall pinhole and a Network Address Translation (NAT) door. In addition, SIP ALG supports the parsing of the Record-Route header to create a firewall pinhole and a NAT door for future messages that are routed through proxies.

With the parsing of the Record-Route header, SIP ALG supports the following scenarios:

  • A Cisco ASR 1000 Aggregation Services Router is deployed between two proxies.
  • A Cisco ASR 1000 Aggregation Services Router is deployed between a User Agent Client (UAC) and a proxy.
  • A Cisco ASR 1000 Aggregation Services Router is deployed between a proxy and a User Agent Server (UAS).
  • No proxy exists between the client and the server. No record routing occurs in this scenario.

How to Configure SIP ALG Hardening for NAT and Firewall

Enabling NAT for SIP Support

NAT support for SIP is enabled by default on port 5060. If this feature has been disabled, perform this task to re-enable NAT support for SIP. To disable the NAT support for SIP, use the no ip nat service sip command.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip nat service sip {tcp | udp} port port-number

    4.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip nat service sip {tcp | udp} port port-number


    Example:
    Device(config)# ip nat service sip tcp port 5060
     

    Enables NAT support for SIP.

     
    Step 4 end


    Example:
    Device(config)# end
     

    Exist global configuration mode and returns to privileged EXEC mode.

     

    Enabling SIP Inspection

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    class-map type inspect match-any class-map-name

      4.    match protocol protocol-name

      5.    exit

      6.    policy-map type inspect policy-map-name

      7.    class type inspect class-map-name

      8.    inspect

      9.    exit

      10.    class class-default

      11.    end


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 class-map type inspect match-any class-map-name


      Example:
      Device(config)# class-map type inspect match-any sip-class1
       

      Creates an inspect type class map and enters class-map configuration mode.

       
      Step 4 match protocol protocol-name


      Example:
      Device(config-cmap)# match protocol sip
       

      Configures the match criterion for a class map based on the named protocol.

       
      Step 5 exit


      Example:
      Device(config-cmap)# exit
       

      Exits class-map configuration mode.

       
      Step 6 policy-map type inspect policy-map-name


      Example:
      Device(config)# policy-map type inspect sip-policy
       

      Creates an inspect type policy map and enters policy-map configuration mode.

       
      Step 7 class type inspect class-map-name


      Example:
      Device(config-pmap)# class type inspect sip-class1
       

      Specifies the class on which the action is performed and enters policy-map class configuration mode.

       
      Step 8 inspect


      Example:
      Device(config-pmap-c)# inspect
       

      Enables stateful packet inspection.

       
      Step 9 exit


      Example:
      Device(config-pmap-c)# exit
       

      Exits policy-map class configuration mode and returns to policy-map configuration mode.

       
      Step 10 class class-default


      Example:
      Device(config-pmap)# class class-default
       

      Specifies that these policy map settings apply to the predefined default class.

      • If traffic does not match any of the match criteria in the configured class maps, it is directed to the predefined default class.
       
      Step 11 end


      Example:
      Device(config-pmap)# end
       

      Exits policy-map configuration mode and returns to privileged EXEC mode.

       

      Configuring a Zone Pair and Attaching a SIP Policy Map

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    zone security {zone-name | default}

        4.    exit

        5.    zone security {zone-name | default}

        6.    exit

        7.    zone-pair security zone-pair-name [source {source-zone-name | self | default} destination [destination-zone-name | self | default]]

        8.    service-policy type inspect policy-map-name

        9.    exit

        10.    interface type number

        11.    zone-member security zone-name

        12.    exit

        13.    interface type number

        14.    zone-member security zone-name

        15.    end


      DETAILED STEPS
          Command or Action Purpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 zone security {zone-name | default}


        Example:
        Device(config)# zone security zone1
         

        Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

         
        Step 4 exit


        Example:
        Device(config-sec-zone)# exit 
         

        Exits security zone configuration mode and returns to global configuration mode.

         
        Step 5 zone security {zone-name | default}


        Example:
        Device(config)# zone security zone2
         

        Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.

         
        Step 6 exit


        Example:
        Device(config-sec-zone)# exit 
         

        Exits security zone configuration mode and returns to global configuration mode.

         
        Step 7 zone-pair security zone-pair-name [source {source-zone-name | self | default} destination [destination-zone-name | self | default]]


        Example:
        Device(config)# zone-pair security in-out source zone1 destination zone2
         

        Creates a zone pair and returns to security zone-pair configuration mode.

        Note   

        To apply a policy, you must configure a zone pair.

         
        Step 8 service-policy type inspect policy-map-name


        Example:
        Device(config-sec-zone-pair)# service-policy type inspect sip-policy 
         

        Attaches a firewall policy map to the destination zone pair.

        Note   

        If a policy is not configured between a pair of zones, traffic is dropped by default.

         
        Step 9 exit


        Example:
        Device(config-sec-zone-pair)# exit 
         

        Exits security zone-pair configuration mode and returns to global configuration mode.

         
        Step 10 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/0/0
         

        Configures an interface and enters interface configuration mode.

         
        Step 11 zone-member security zone-name


        Example:
        Device(config-if)# zone-member security zone1
         

        Assigns an interface to a specified security zone.

        Note   

        When you make an interface a member of a security zone, all traffic in and out of that interface (except traffic bound for the device or initiated by the device) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.

         
        Step 12 exit


        Example:
        Device(config-if)# exit 
         

        Exits interface configuration mode and returns to global configuration mode.

         
        Step 13 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/1/1
         

        Configures an interface and enters interface configuration mode.

         
        Step 14 zone-member security zone-name


        Example:
        Device(config-if)# zone-member security zone2
         

        Assigns an interface to a specified security zone.

         
        Step 15 end


        Example:
        Device(config-if)# end
         

        Exits interface configuration mode and returns to privileged EXEC mode.

         

        Configuration Examples for SIP ALG Hardening for NAT and Firewall

        Example: Enabling NAT for SIP Support

        Device> enable
        Device# configure terminal
        Device(config)# ip nat service sip tcp port 5060
        Device(config)# end

        Example: Enabling SIP Inspection

        class-map type inspect match-any sip-class1
         match protocol sip
        !
        policy-map type inspect sip-policy
         class type inspect sip-class1
          inspect
        !
        class class-default

        Example: Configuring a Zone Pair and Attaching a SIP Policy Map

        zone security zone1
        !
        zone security zone2
        !
        zone-pair security in-out source zone1 destination zone2
         service-policy type inspect sip-policy
        !
        interface gigabitethernet 0/0/0
         zone security zone1
        ! 
        interface gigabitethernet 0/1/1
         zone security zone2      

        Additional References for SIP ALG Hardening for NAT and Firewall

        Related Documents

        Standards and RFCs

        Standard/RFC

        Title

        RFC 3261

        SIP: Session Initiation Protocol

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for SIP ALG Hardening for NAT and Firewall

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for SIP ALG Hardening for NAT and Firewall

        Feature Name

        Releases

        Feature Information

        SIP ALG Hardening for NAT and Firewall

        Cisco IOS XE Release 3.8S

        The SIP ALG Hardening for NAT and Firewall feature provides better memory management and RFC compliance over the existing SIP ALG support for NAT and firewall.