PDF(95.5 KB) View with Adobe Reader on a variety of devices
ePub(149.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(118.2 KB) View on Kindle device or Kindle app on multiple devices
Updated:April 3, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to disable Session Initiation Protocol (SIP) inspection on Adaptive Security Appliance (ASA) firewalls.
The purpose of SIP inspection is to provide address translation in the SIP header and body in order to allow for the dynamic opening of ports at the time of SIP signaling. SIP inspection is an extra layer of protection that does not expose internal IP’s to the external network when you make calls from inside the network to the internet. For example, in a Business-to-Business call from a device registered to the Cisco Unified Communications Manager (CUCM) through the Expressway-C and to the Expressway-E dialing a different domain, that private IP address in the SIP Header is translated to the IP of your firewall. Many symptoms can arise with ASA that inspect SIP signaling, creating call failures and one-way audio or video.
Media Failure for Calls Over Expressways When SIP Inspection Is Turned On
In order for the calling party to decipher where to send the media to, it sends what it expects to receive in a Session Description Protocol (SDP) at the time of the SIP negotiation for both audio and video. In an Early Offer scenario, it sends media based on what it received in the 200 OK as shown in the image.
When SIP Inspection is turned on by an ASA, the ASA inserts its IP address either in the c parameter of the SDP (connection information in order to return calls to) or the SIP Header. Here is an example of what a failed call looks like when SIP Inspection is turned on:
User-Agent: TANDBERG/775 (MCX 220.127.116.1151) - Windows
If the Public IP address of the firewall is inserted anywhere within this SIP signaling process, calls fail. There could also be no ACK sent back from the User Agent Client if SIP inspection is turned on, which thereby results in call failure.
In order to disable SIP Inspection on an ASA Firewall:
Step 1. Log into the CLI of the ASA.
Step 2. Run command show run policy-map.
Step 3. Verify that inspect sip is under the policy map global-policy list as shown in the image.