Detecting if SIP ALG is enabled on network

In trying to determine on a network that I don’t manage whether the network is “SIP Aware” (SIP ALG), I used the following method to quickly test.

Client Network

LAN192.168.1.1/24
WAN11.22.33.44
SIP Phone192.168.1.60

Remote Network

SIP Server4.49.115.30

I configured my phone to point to my linux server at 4.49.115.30 as the SIP server and started up a capture using tcpdump.

tcpdump -i ens192 -w sip_alg.pcap

I ran it for a few seconds to capture traffic from my phone.

Packet Showing Network With ALG

If the network is SIP aware and using ALG, the Contact: portion of the packet header message will show the public IP of the client’s network.

REGISTER sip:4.49.115.30:5060 SIP/2.0
Via: SIP/2.0/UDP 11.22.33.44:22501;branch=z9hG4bK738593727
From: "200" <sip:200@4.49.115.30:5060>;tag=738463962
To: "200" <sip:200@4.49.115.30:5060>
Call-ID: 0_738583021@192.168.1.60
CSeq: 1 REGISTER
Contact: <sip:200@11.22.33.44:22501>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T33G 124.86.0.40 805e0cxxxxxx
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

Packet Showing Network Without ALG

If the network is not SIP aware and using ALG, the Contact: portion of the packet header message will show the RFC 1918 IP address on the client’s network.

REGISTER sip:4.49.115.30:5060 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.60:5060;branch=z9hG4bK735305753
From: "200" <sip:702200@4.49.115.30:5060>;tag=735174715
To: "200" <sip:702200@4.49.115.30:5060>
Call-ID: 0_735247007@192.168.1.60
CSeq: 1 REGISTER
Contact: <sip:200@192.168.1.60:5060>
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T33G 124.86.0.40 805e0cxxxxxx
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

Disable SIP ALG

Here are some ways to disable SIP ALG on various devices I’ve had experience with.

Cisco ASA

ciscoasa> enable
Password:
ciscoasa# config terminal
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect sip

#alg, #sip, #voip