Configuring SIP ALG (NSM Procedure)

SIP is an IETF-standard protocol for initiating, modifying, and terminating multimedia sessions over the Internet. Such sessions might include conferencing, telephony, or multimedia, with features such as instant messaging and application-level mobility in network environments.

To configure SIP ALG:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure SIP ALG.
  3. Click the Configuration tab. In the configuration tree, select Security > Alg > Sip.
  4. Add or modify settings as specified in Table 222.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 222: SIP ALG Configuration Details

Option

Function

Your Action

C Timeout

Specifies the INVITE transaction timeout at the proxy, in minutes. Because the SIP ALG is in the middle, instead of using the INVITE transaction timer value B (which is (64 * T1) = 32 seconds), the SIP ALG gets its timer value from the proxy.

Select a value between 3 and 10 minutes. The default is 3.

Inactive Media Timeout

Specifies the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the temporary openings (pinholes) in the firewall SIP ALG opened for media are closed. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

Select a value between 10 and 2,550 seconds. The default is 120 seconds.

Maximum Call Duration

Sets the absolute maximum length of a call. When a call exceeds this parameter setting, the SIP ALG tears down the call and releases the media sessions.

Select a value between 3 and 7,200 minutes. The default is 720 minutes.

T1 Interval

Specifies the roundtrip time estimate (in seconds) of a transaction between endpoints. Because many SIP timers scale with the T1-Interval (as described in RFC 3261), when you change the value of the T1-Interval timer, those SIP timers also are adjusted.

Select a value between 500 and 5,000 milliseconds. The default is 500 milliseconds.

T4 Interval

Specifies the maximum time a message remains. in the network. Because many SIP timers scale with the T4-Interval (as described in RFC 3261), when you change the value of the T4-Interval timer, those SIP timers also are adjusted.

Select a value between 5 and 10 seconds. The default is 5 seconds.

Disable

Enables or disables translation of the host IP address in the call-ID header. Translation is enabled by default.

Select this option to enable translation of host IP address in the call-ID header. By default, translation is enabled.

Retain Hold Resource

Specifies whether the device frees media resources for a SIP ALG, even when a media stream is placed on hold.

Select this option to enable the device to retain media stream resources when the media stream is on hold. By default, media stream resources are released when the media stream is held.

Timeout

Specifies the amount of time (in seconds) to make an attack table entry for each INVITE, which is listed in the application screen.

Enter a value between 1 and 3,600 seconds.

Destination Ip

Protects servers against INVITE attacks. Configure the SIP application screen to protect the server at some or all destination IP addresses against INVITE attacks. You can include up to 16 destination IP addresses of servers to be protected.

Select None, destination-ip, or all. If you select destination-ip, enter or select an IP address.

Permit NAT Applied

Specifies how unidentified SIP messages are handled by the device. Permitting unknown messages can compromise security and is not recommended. However, in a secure test or production environment, this statement can be useful for resolving interoperability issues with disparate vendor equipment. By permitting unknown SIP (unsupported) messages, you can get your network operational and later analyze your VoIP traffic to determine why some messages were being dropped.

This statement applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol, the message is forwarded without processing.

Select this option to permit unidentified SIP messages. By default, unknown (unsupported) messages are dropped.

Permit Routed

Specifies that unknown messages be allowed to pass if the session is in Route mode. (Sessions in Transparent mode are treated as Route mode.)

Select this option.

Related Documentation