Zone-Based Firewall and SIP protocol violation. Can anyone explain what Im missing on SIP inspection...

Paul Morgan · ‎07-20-2015

Hi all,

We are trying to add SIP to our ZBF inspection. But rather than just adding match protocol SIP and seeing instant results, we get a protocol violation error on the firewall.

Ive done some reading and most people claim that there was a bug in earlier IOS 15 versions. But Im on the latest version and with a new 2921 router. I cant find any reasoning behind normal SIP traffic not being recognised.

Also, Im a little confused as to how Im supposed to allow for SIP if it is only being inspected at Layer 4 without opening a huge security hole ie I have to allow all UDP traffic to be inspected on all ports.

Has anyone got any tips on what Im missing please?

configs are attached

many thanks,

Paul

joseoroz · ‎07-21-2015

Hello Paul,

You may be familiar with this bug as the workaround is the one that you mentioning of inspecting the UDP traffic instead of SIP.

https://tools.cisco.com/bugsearch/bug/CSCtl58680/?reffering_site=dumpcr

As far as the part of the inspection there shouldn't be much difference from inspection UDP than the SIP. As you may know what the inspection will do is keep a table with the ports open on the inbound interface and allow the return traffic based on the zone pair. As far as the SIP inspection it will additionally enforce that the SIP traffic is compliant with the RFC's.

Regards,

Jose Orozco.

Paul Morgan · ‎07-22-2015

Thank Jose.

Is there an fix for this inspection bug? It is a pretty major bug if it hasn't been resolved by ios15.4 - it was first reported in 15.1.

joseoroz · ‎07-22-2015

Hello Paul,

The bug is an enhancement request. I see that there are no updates since last year. In case the fix is incorporated on code it should be updated on the bug.

Kind regards,

Jose Orozco.

Zone-Based Firewall and SIP protocol violation. Can anyone explain what Im missing on SIP inspection?