SIP ALG – Cisco ASA (Version 7)
Most ASAs will have the “inspect sip” statement listed in the default policy-map. Some service providers will recommend disabling this feature.
1. Log into the ASA through SSH, telnet or the console.
2. Once authenticated, move into “enable mode” by typing “enable”.
================================
ASA> enable
Password:
================================
3. Enter your password.
4. Type “show run policy-map”. This will display all of the relevant details current policy-maps.
================================
ASA# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy <——————- “global_policy” is the name of the policy-map used here.
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
ASA#
=========================
5. If you see the “inspect sip” statement the ASA will keep track of the UDP ports used for call control (default of 5060). It will also keep track of the UDP ports used by RTP (audio packets).
6. If your service provider recommends turning this feature on, then make no changes.
7. If the feature needs to be disabled and your policy-map is named “global_policy” you can use the below script. You MUST be in enable mode to copy and past this.
==================
!
configure terminal
policy-map global_policy
class inspection_default
no inspect sip
exit
exit
exit
write mem
=================