Cisco Cisco Expressway
Via: SIP/2.0/TLS 10.0.10.2:5061
Via: SIP/2.0/TLS 10.0.20.3:55938
Call-ID: 20ec9fd084eb3dd2@127.0.0.1
CSeq: 100 INVITE
Contact: <sip:EndpointA@10.0.20.3:55938;transport=tls>
From: "Endpoint A" <sip:EndpointA@cisco.com>;tag=9a42af
To: <sip: 64.100.0.20>
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 2825
v=0
s=-
c=IN IP4 64.100.0.10
b=AS:2048
…
…
…
Figure 5: SIP INVITE arriving at Endpoint B - Static NAT mode enabled
With static NAT enabled on LAN2 of the Expressway-E, the c-line of the SIP INVITE has now been rewritten
to c=IN IP4 64.100.0.10, and this means that when endpoint B sends outbound RTP media to endpoint A,
this will be sent to IP address 64.100.0.10, the public NAT address of the NAT router, which is 1:1 NATed to
the LAN2 IP address of the Expressway-E, 10.0.10.2. As RTP media from endpoint B arrives at the NAT
router with a destination IP address of 64.100.0.10, the NAT router will forward these packets to the
Expressway-E at 10.0.10.2 and two-way media is achieved.
to c=IN IP4 64.100.0.10, and this means that when endpoint B sends outbound RTP media to endpoint A,
this will be sent to IP address 64.100.0.10, the public NAT address of the NAT router, which is 1:1 NATed to
the LAN2 IP address of the Expressway-E, 10.0.10.2. As RTP media from endpoint B arrives at the NAT
router with a destination IP address of 64.100.0.10, the NAT router will forward these packets to the
Expressway-E at 10.0.10.2 and two-way media is achieved.
Routers/firewalls with SIP/H.323 ALG
Some routers and firewalls have SIP and H.323 ALG capabilities. ALG is also referred to as Fixup,
Inspection, Application Awareness, Stateful Packet Inspection, Deep Packet Inspection and so forth. This
means that the router/firewall is able to identify SIP and H.323 traffic as it passes through and inspect, and in
some cases modify, the payload of the SIP and H.323 messages. The purpose of modifying the payload is to
help the H.323 or SIP application from which the message originated to traverse NAT, i.e. to perform a
similar process to what the Expressway-E does.
Inspection, Application Awareness, Stateful Packet Inspection, Deep Packet Inspection and so forth. This
means that the router/firewall is able to identify SIP and H.323 traffic as it passes through and inspect, and in
some cases modify, the payload of the SIP and H.323 messages. The purpose of modifying the payload is to
help the H.323 or SIP application from which the message originated to traverse NAT, i.e. to perform a
similar process to what the Expressway-E does.
The challenge with router/firewall-based SIP and H.323 ALGs is that these were originally intended to aid
relatively basic H.323 and SIP applications to traverse NAT, and these applications had, for the most part,
very basic functionality and often only supported audio.
relatively basic H.323 and SIP applications to traverse NAT, and these applications had, for the most part,
very basic functionality and often only supported audio.
Over the years, many H.323 and SIP implementations have become more complex, supporting multiple
video streams and application sharing (H.239, BFCP), encryption/security features (H.235, DES/AES),
firewall traversal (Assent, H.460) and other extensions of the SIP and H.323 standards.
video streams and application sharing (H.239, BFCP), encryption/security features (H.235, DES/AES),
firewall traversal (Assent, H.460) and other extensions of the SIP and H.323 standards.
For a router/firewall to properly perform ALG functions for SIP and H.323 traffic, it is therefore of utmost
importance that the router/firewall understands and properly interprets the full content of the payload it is
inspecting. Since H.323 and SIP are standards/recommendations which are in constant development, it is
not likely that the router/firewall will meet these requirements, resulting in unexpected behavior when using
H.323 and SIP applications in combination with such routers/firewalls.
importance that the router/firewall understands and properly interprets the full content of the payload it is
inspecting. Since H.323 and SIP are standards/recommendations which are in constant development, it is
not likely that the router/firewall will meet these requirements, resulting in unexpected behavior when using
H.323 and SIP applications in combination with such routers/firewalls.
There are also scenarios where the router/firewall normally will not be able to inspect the traffic at all, for
example when using SIP over TLS, where the communication is end-to-end secure and encrypted as it
passes through the router/firewall.
example when using SIP over TLS, where the communication is end-to-end secure and encrypted as it
passes through the router/firewall.
Cisco Expressway Basic Configuration Deployment Guide (X8.5.2)
Page 50 of 57
Appendix 4: Advanced network deployments