07-20-2015 06:42 AM - edited 03-11-2019 11:17 PM
Hi all,
We are trying to add SIP to our ZBF inspection. But rather than just adding match protocol SIP and seeing instant results, we get a protocol violation error on the firewall.
Ive done some reading and most people claim that there was a bug in earlier IOS 15 versions. But Im on the latest version and with a new 2921 router. I cant find any reasoning behind normal SIP traffic not being recognised.
Also, Im a little confused as to how Im supposed to allow for SIP if it is only being inspected at Layer 4 without opening a huge security hole ie I have to allow all UDP traffic to be inspected on all ports.
Has anyone got any tips on what Im missing please?
configs are attached
many thanks,
Paul
07-21-2015 12:40 PM
Hello Paul,
You may be familiar with this bug as the workaround is the one that you mentioning of inspecting the UDP traffic instead of SIP.
https://tools.cisco.com/bugsearch/bug/CSCtl58680/?reffering_site=dumpcr
As far as the part of the inspection there shouldn't be much difference from inspection UDP than the SIP. As you may know what the inspection will do is keep a table with the ports open on the inbound interface and allow the return traffic based on the zone pair. As far as the SIP inspection it will additionally enforce that the SIP traffic is compliant with the RFC's.
Regards,
Jose Orozco.
07-22-2015 12:44 AM
Thank Jose.
Is there an fix for this inspection bug? It is a pretty major bug if it hasn't been resolved by ios15.4 - it was first reported in 15.1.
07-22-2015 09:29 AM
Hello Paul,
The bug is an enhancement request. I see that there are no updates since last year. In case the fix is incorporated on code it should be updated on the bug.
Kind regards,
Jose Orozco.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide