SIP Instant Messaging
Instant Messaging refers to the transfer of messages between users in near real-time. SIP supports the Chat feature on Windows XP using Windows Messenger RTC Client version 4.7.0105 only. The MESSAGE/INFO methods and 202 Accept response are used to support IM as defined in the following RFCs:
- Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265
- Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428
MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value. This value must be configured at least five minutes longer than the subscription duration. The subscription duration is defined in the Contact Expires value and is typically 30 minutes.
Because MESSAGE/INFO requests are typically sent using a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine.
Note Only the Chat feature is currently supported. Whiteboard, File Transfer, and Application Sharing are not supported. RTC Client 5.0 is not supported.
SIP inspection translates the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen.
SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload. These indices identify the call, the source, and the destination. This database contains the media addresses and media ports found in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. The ASA opens RTP/RTCP connections between the two endpoints using these media addresses/ports.
The well-known port 5060 must be used on the initial call setup (INVITE) message; however, subsequent messages may not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be translated.
As a call is set up, the SIP session is in the “transient” state until the media address and media port is received from the called endpoint in a Response message indicating the RTP port the called endpoint listens on. If there is a failure to receive the response messages within one minute, the signaling connection is torn down.
Once the final handshake is made, the call state is moved to active and the signaling connection remains until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface does not traverse the ASA, unless the ASA configuration specifically allows it.
Configuring a SIP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create a SIP inspection policy map. You can then apply the inspection policy map when you enable SIP inspection.
To create a SIP inspection policy map, perform the following steps:
Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the “Configuring Regular Expressions” section. See the types of text you can match in the match commands described in Step 3.
Step 2 (Optional) Create one or more regular expression class maps to group regular expressions according to the “Creating a Regular Expression Class Map” section.s
Step 3 (Optional) Create a SIP inspection class map by performing the following steps.
A class map groups multiple traffic matches. Traffic must match all of the match commands to match the class map. You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop-connection, reset, and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly in the policy map.
a. Create the class map by entering the following command:
hostname(config)# class-map type inspect sip [match-all | match-any] class_map_name
Where the class_map_name is the name of the class map. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The match-any keyword specifies that the traffic matches the class map if it matches at leX ( The CLI enters class-map configuration mode, where you can enter one or more match commands.
b. (Optional) To add a description to the class map, enter the following command:
hostname(config-cmap)# description string
Where string is the description of the class map (up to 200 characters).
c. (Optional) To match a called party, as specified in the To header, enter the following command:
hostname(config-cmap)# match [not] called-party regex {class class_name | regex_name}
Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2.
d. (Optional) To match a calling party, as specified in the From header, enter the following command:
hostname(config-cmap)# match [not] calling-party regex {class class_name | regex_name}
Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2.
e. (Optional) To match a content length in the SIP header, enter the following command:
hostname(config-cmap)# match [not] content length gt length
Where length is the number of bytes the content length is greater than. 0 to 65536.
f. (Optional) To match an SDP content type or regular expression, enter the following command:
hostname(config-cmap)# match [not] content type {sdp | regex {class class_name | regex_name}}
Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2.
g. (Optional) To match a SIP IM subscriber, enter the following command:
hostname(config-cmap)# match [not] im-subscriber regex {class class_name | regex_name}
Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2.
h. (Optional) To match a SIP via header, enter the following command:
hostname(config-cmap)# match [not] message-path regex {class class_name | regex_name}
Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2.
i. (Optional) To match a SIP request method, enter the following command:
hostname(config-cmap)# match [not] request-method method
Where method is the type of method to match (ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update).
j. (Optional) To match the requester of a third-party registration, enter the following command:
hostname(config-cmap)# match [not] third-party-registration regex {class class_name | regex_name}
Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2.
k. (Optional) To match an URI in the SIP headers, enter the following command:
hostname(config-cmap)# match [not] uri {sip | tel} length gt length
Where length is the number of bytes the URI is greater than. 0 to 65536.
Step 4 Create a SIP inspection policy map, enter the following command:
hostname(config)# policy-map type inspect sip policy_map_name
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 5 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 6 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
- Specify the SIP class map that you created in Step 3 by entering the following command:
hostname(config-pmap)# class class_map_name
- Specify traffic directly in the policy map using one of the match commands described in Step 3. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
b. Specify the action you want to perform on the matching traffic by entering the following command:
hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log message.
The rate-limit message_rate argument limits the rate of messages.
You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see the “Defining Actions in an Inspection Policy Map” section.
Step 7 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
b. To enable or disable instant messaging, enter the following command:
hostname(config-pmap-p)# im
c. To enable or disable IP address privacy, enter the following command:
hostname(config-pmap-p)# ip-address-privacy
d. To enable check on Max-forwards header field being 0 (which cannot be 0 before reaching the destination), enter the following command:
hostname(config-pmap-p)# max-forwards-validation action {drop | drop-connection | reset | log} [log]
e. To enable check on RTP packets flowing on the pinholes for protocol conformance, enter the following command:
hostname(config-pmap-p)# rtp-conformance [enforce-payloadtype]
Where the enforce-payloadtype keyword enforces the payload type to be audio or video based on the signaling exchange.
f. To identify the Server and User-Agent header fields, which expose the software version of either a server or an endpoint, enter the following command:
hostname(config-pmap-p)# software-version action {mask | log} [log]
Where the mask keyword masks the software version in the SIP messages.
g. To enable state checking validation, enter the following command:
hostname(config-pmap-p)# state-checking action {drop | drop-connection | reset | log} [log]
h. To enable strict verification of the header fields in the SIP messages according to RFC 3261, enter the following command:
hostname(config-pmap-p)# strict-header-validation action {drop | drop-connection | reset | log} [log]
i. To allow non SIP traffic using the well-known SIP signaling port, enter the following command:
hostname(config-pmap-p)# traffic-non-sip
j. To identify the non-SIP URIs present in the Alert-Info and Call-Info header fields, enter the following command:
hostname(config-pmap-p)# uri-non-sip action {mask | log} [log]
The following example shows how to disable instant messaging over SIP:
hostname(config)# policy-map type inspect sip mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# no im
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect sip mymap
hostname(config)# service-policy global_policy global