Solved: Re: FMC verify Sip is not inspected

Lee Dress · ‎08-15-2019

I'm running FMC 6.2.3.14 on 18 ASA devices.

I have disabled SIP inspection on my ASA devices, but how do I do this in the firepower policies?

I'm assuming the sfr policy on the asa routes all traffic through the firepower module, which means that firepower is looking at SIP. this is what i would like to disable.

any help would be appreciated.

here's the relevant part of my running config from my ASA if needed

access-list sfr_redirect extended permit ip any any

class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
class-map netflow
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect rsh
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
class sfr
sfr fail-open
class netflow
flow-export event-type all destination 192.168.x.x
class class-default
set connection decrement-ttl
user-statistics accounting

Marvin Rhoads · ‎08-16-2019

Ah - sorry I was writing the procedure for an FTD device. Flexconfigs do not apply to ASA Firepower service modules (sfr). That's why you don't see them as an available policy target.

The sfr module should not be inspecting SIP traffic for protocol conformance as that function would be handled (or bypassed as it would be in your case) by the associated ASA software.

View solution in original post

Marvin Rhoads · ‎08-15-2019

In a Firepower service module managed by FMC you can do this via Flexconfig. Create a Flexconfig object and enter these commands:

policy-map global_policy
class inspection_default
no inspect sip

Then bind this Flex object to Flex Policy and deploy.

If you are using ASDM management, you cannot change this inspection since Flexconfig is not supported with ASDM.

If you are running FTD, this is one of the few things that can be changed via cli:

> show running-config | begin global_policy
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
  set connection decrement-ttl
!
service-policy global_policy global
service-policy policy_map_Inside-Lab interface Inside-Lab
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
Cryptochecksum:aa16121921d798a166b3f53cb302b677
: end
> 
> configure inspection sip disable
Building configuration...
Cryptochecksum: 077fc587 091d47b6 e43a3da9 567421df 

16047 bytes copied in 0.70 secs
[OK]
> show running-config | begin global_policy
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
  set connection decrement-ttl
!
service-policy global_policy global
service-policy policy_map_Inside-Lab interface Inside-Lab
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
Cryptochecksum:077fc587091d47b6e43a3da9567421df
: end
>

Lee Dress · ‎08-16-2019

Thank you.

I'm running FMC.

I added a no_sip object and added the commands you mentioned.

then I created a disable sip Policy and appended the object to it.

When I click on policy assignments, none of my firepower devices are listed. so I can't depoly.

did I miss a step? I haven't used flex config at all before so maybe I'm missing something here.

Marvin Rhoads · ‎08-16-2019

Ah - sorry I was writing the procedure for an FTD device. Flexconfigs do not apply to ASA Firepower service modules (sfr). That's why you don't see them as an available policy target.

The sfr module should not be inspecting SIP traffic for protocol conformance as that function would be handled (or bypassed as it would be in your case) by the associated ASA software.

Lee Dress · ‎08-16-2019

Thanks for your help.

I just needed to verify that SIP was not inspected.

since the ASA says no inspect sip, I just wanted to make sure that the firepower module was following suit.

thank you for your help again!