Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Select SIP Map

48-26

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter48 Configuring Inspection for Voice and Video Protocols

SIP Inspection

If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface

to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified

in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside

interface does not traverse the ASA, unless the ASA configuration specifically allows it.

Select SIP Map

Add/Edit Service PolicyRule Wizard > Rule Actions > Protocol Inspection Tab > Select SIP Map

The Select SIP Map dialog box lets you select or create a new SIP map. A SIP map lets you change the

configuration values used for SIP application inspection. The Select SIP Map table provides a list of

previously configured maps that you can select for application inspection.

Fields

•Use the default SIP inspection map—Specifies to use the default SIP map.

•Select a SIP map for fine control over inspection—Lets you select a defined application inspection

map or add a new one.

•Add—Opens the Add Policy Map dialog box for the inspection.

•Enable encrypted traffic inspection check box—Select to enable the radio buttons to select a proxy

type.

•Proxy Type

–

TLS Proxy radio button—Use TLS Proxy to enable inspection of encrypted traffic.

–

Phone Proxy radio button—Specifies to associate the Phone Proxy with the TLS Proxy that you

select from the TLS Proxy Name field.

Configure button—Opens the Configure the Phone Proxy dialog box so that you can specify or

edit Phone Proxy configuration settings.

–

UC-IME Proxy ratio button—Specifies to associate the UC-IME Proxy (Cisco Intercompany

Media Engine proxy) with the TLS Proxy that you select from the TLS Proxy Name field.

Configure button—Opens the Configure the UC-IME Proxy dialog box so that you can specify

or edit UC-IME Proxy configuration settings.

•TLS Proxy Name:—Name of existing TLS Proxy.

•Manage—Opens the Add TLS Proxy dialog box to add a TLS Proxy.

Only one TLS proxy can be assigned to the Phone Proxy or UC-IME Proxy at a time. If you configure

more than one service policy rule for Phone Proxy or UC-IME Proxy inspection and attempt to assign a

different TLS proxy to them, ASDM displays a warning that all other service policy rules with Phone

Proxy or UC-IME inspection will be changed to use the latest selected TLS proxy.

The UC-IME Proxy configuration requires two TLS proxies – one for outbound traffic and one for

inbound. Rather than associating the TLS proxies directly with the UC-IME Proxy, as is the case with

phone proxy, the TLS proxies are associated with it indirectly via SIP inspection rules.

You associate a TLS proxy with the Phone Proxy while defining a SIP inspection action . ASDM will

convert the association to the existing phone proxy.

Modes

The following table shows the modes in which this feature is available:

Cisco Systems Select SIP Map