Pinhole Creation in ScreenOS Devices Overview

Both pinholes for the RTP and RTCP traffic share the same destination IP address. The IP address comes from the c= field in the SDP session description. Because the c= field can appear in either the session-level or media-level portion of the SDP session description, the parser determines the IP address based on the following rules (in accordance with SDP conventions):

Table 72 displays the information the SIP ALG needs to create a pinhole. This information comes from the SDP session description and parameters on the security device:

Table 72: Information for Pinhole Creation





Source IP


Source port


Destination IP

The parser extracts the destination IP address from the c= field in the media or session level.

Destination port

The parser extracts the destination port number for RTP from the m= field in the media level and calculates the destination port number for RTCP using the following formula:

RTP port number + one


This value indicates the length of time (in seconds) during which a pinhole is open to allow a packet through. A packet must go through the pinhole before the lifetime expires. When the lifetime expires, the SIP ALG removes the pinhole. When a packet goes through the pinhole within the lifetime period, immediately afterwards the SIP ALG removes the pinhole for the direction from which the packet came.

Related Documentation