topic Re: NO Inspect SIP in Network Security

NO Inspect SIP

S.mooney12 — Fri, 21 Feb 2020 15:58:25 GMT

Hi Guys

Ran into an issue today with our VOIP service provider, calls were not coming through, a quick call to the service provider suggested to turn of SIP inspection, and yep it works.

My question is if SIP is not being inspected and we have no ACL how does this work?

Thanks

Re: NO Inspect SIP

Dennis Mink — Wed, 11 Jul 2018 23:33:22 GMT

when you turn SIP inspection off, you essentially pass on SIP traffic (most likely based on udp/5060 and 61 or tcp). the ASA will then not "intelligently" inspect SIP protocol headers and dynamically open up RTP ports based on the inspection. SIP inspection can be a bit of a double edged sword. sometimes it creates problems, sometimes it fixes them

Re: NO Inspect SIP

David_Mason — Fri, 01 Oct 2021 19:06:13 GMT

@Dennis Mink we recently had a very similar issue.

Here's the setup:

We have a global deny policy - no ACL, no pass.

We did not have ACLs allowing traffic to flow through a firewall to our CUBEs.

SIP inspection was ON.

Calls are flowing.

Change to inspection policy - do not match (inspect) for a single IP.

We apply policy and no new RTP is set up, resulting in calls coming through with no audio.

We quickly put ACLs in place to allow our SIP endpoints (Soft Phones) a path to the CUBEs.

Calls start flowing.

Inspection policy is still in place.

We open a TAC case and the agent says it should have never worked without ACLs.

I'm a little confused. Should the inspection policy dynamically create pathways for SIP traffic or is an ACL required? it seems to be as of right now, at least, but the doesn't explain the last few years. Of note - this is the first time we've touched the inspection policy in our tenure here.