Inspection for Voice and Video Protocols

This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.

Several common inspection engines are enabled on the ASA by default, but you might need to enable others depending on your network.

This chapter includes the following sections:

CTIQBE Inspection

This section describes CTIQBE application inspection. This section includes the following topics:

CTIQBE Inspection Overview

CTIQBE protocol inspection supports NAT, PAT, and bidirectional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the ASA.

TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager.

Limitations and Restrictions

The following summarizes limitations that apply when using CTIQBE application inspection:

  • CTIQBE application inspection does not support configurations with the alias command.
  • Stateful failover of CTIQBE calls is not supported.
  • Debugging CTIQBE inspection may delay message transmission, which may have a performance impact in a real-time environment. When you enable this debugging or logging and Cisco IP SoftPhone seems unable to complete call setup through the ASA, increase the timeout values in the Cisco TSP settings on the system running Cisco IP SoftPhone.

The following summarizes special considerations when using CTIQBE application inspection in specific scenarios:

  • If two Cisco IP SoftPhones are registered with different Cisco CallManagers, which are connected to different interfaces of the ASA, calls between these two phones fails.
  • When Cisco CallManager is located on the higher security interface compared to Cisco IP SoftPhones, if NAT or outside NAT is required for the Cisco CallManager IP address, the mapping must be static as Cisco IP SoftPhone requires the Cisco CallManager IP address to be specified explicitly in its Cisco TSP configuration on the PC.
  • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed. The CTIQBE listening port (TCP 2748) is fixed and is not user-configurable on Cisco CallManager, Cisco IP SoftPhone, or Cisco TSP.

H.323 Inspection

This section describes the H.323 application inspection. This section includes the following topics:

H.323 Inspection Overview

H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.

With H.323 inspection enabled, the ASA supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the ASA.

The two major functions of H.323 inspection are as follows:

  • NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in PER encoding format, the ASA uses an ASN.1 decoder to decode the H.323 messages.
  • Dynamically allocate the negotiated H.245 and RTP/RTCP connections.

How H.323 Works

The H.323 collection of protocols collectively may use up to two TCP connection and four to eight UDP connections. FastConnect uses only one TCP connection, and RAS uses a single UDP connection for registration, admissions, and status.

An H.323 client can initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP.

H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 terminals are not using FastConnect, the ASA dynamically allocates the H.245 connection based on the inspection of the H.225 messages.


Note The H.225 connection can also be dynamically allocated when using RAS.


Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange. RTP uses the negotiated port number, while RTCP uses the next higher port number.

The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports.

  • 1718—Gate Keeper Discovery UDP port
  • 1719—RAS UDP port
  • 1720—TCP Control Port

You must permit traffic for the well-known H.323 port 1719 for RAS signaling. Additionally, you must permit traffic for the well-known H.323 port 1720 for the H.225 call signaling; however, the H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the ASA opens an H.225 connection based on inspection of the ACF and RCF nmessages.

After inspecting the H.225 messages, the ASA opens the H.245 channel and then inspects traffic sent over the H.245 channel as well. All H.245 messages passing through the ASA undergo H.245 application inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 messages.

The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the ASA must remember the TPKT length to process and decode the messages properly. For each connection, the ASA keeps a record that contains the TPKT length for the next expected message.

If the ASA needs to perform NAT on IP addresses in messages, it changes the checksum, the UUIE length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT is sent in a separate TCP packet, the ASA proxy ACKs that TPKT and appends a new TPKT to the H.245 message with the new length.


Note The ASA does not support TCP options in the Proxy ACK for the TPKT.


Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and times out with the H.323 timeout as configured in the Configuration > Firewall > Advanced > Global Timeouts pane.


Note You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint's IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0. By default, this option is disabled.


H.239 Support in H.245 Messages

The ASA sits between two H.323 endpoints. When the two H.323 endpoints set up a telepresentation session so that the endpoints can send and receive a data presentation, such as spreadsheet data, the ASA ensure successful H.239 negotiation between the endpoints.

H.239 is a standar that provides the ability for H.300 series endpoints to open an additional video channel in a single call. In a call, an endpoint (such as a video phone), sends a channel for video and a channel for data presentation. The H.239 negotiation occurs on the H.245 channel.

The ASA opens pinholes for the additional media channel and the media control channel. The endpoints use open logical channel message (OLC) to signal a new channel creation. The message extension is part of H.245 version 13.

The decoding and encoding of of the telepresentation session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder.

Limitations and Restrictions

The following are some of the known issues and limitations when using H.323 application inspection:

  • Only static NAT is fully supported. Static PAT may not properly translate IP addresses embedded in optional fields within H.323 messages. If you experience this kind of problem, do not use static PAT with H.323.
  • Not supported with dynamic NAT or PAT.
  • Not supported with extended PAT.
  • Not supported with NAT between same-security-level interfaces.
  • Not supported with outside NAT.
  • Not supported with NAT64.
  • When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in either direction. This problem is unrelated to the ASA.
  • If you configure a network static address where the network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails.

Select H.323 Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select H.323 Map

The Select H.323 Map dialog box lets you select or create a new H.323 map. An H.323 map lets you change the configuration values used for H.323 application inspection. The Select H.323 Map table provides a list of previously configured maps that you can select for application inspection.

Fields

  • Use the default H.323 inspection map—Specifies to use the default H.323 map.
  • Select an H.323 map for fine control over inspection Lets you select a defined application inspection map or add a new one.
  • Add—Opens the Add Policy Map dialog box for the inspection.

H.323 Class Map

Configuration > Global Objects > Class Maps > H.323

The H.323 Class Map pane lets you configure H.323 class maps for H.323 inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

  • Name—Shows the H.323 class map name.
  • Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the H.323 class map.

Value—Shows the value to match in the H.323 class map.

  • Description—Shows the description of the class map.
  • Add—Adds an H.323 class map.
  • Edit—Edits an H.323 class map.
  • Delete—Deletes an H.323 class map.

Add/Edit H.323 Traffic Class Map

Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map

The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map.

Fields

  • Name—Enter the name of the H.323 class map, up to 40 characters in length.
  • Description—Enter the description of the H.323 class map.
  • Add—Adds an H.323 class map.
  • Edit—Edits an H.323 class map.
  • Delete—Deletes an H.323 class map.

Add/Edit H.323 Match Criterion

Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map > Add/Edit H.323 Match Criterion

The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map.

Fields

  • Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.

  • Criterion—Specifies which criterion of H.323 traffic to match.

Called Party—Match the called party.

Calling Party—Match the calling party.

Media Type—Match the media type.

  • Called Party Criterion Values—Specifies to match on the H.323 called party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Calling Party Criterion Values—Specifies to match on the H.323 calling party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Media Type Criterion Values—Specifies which media type to match.

Audio—Match audio type.

Video—Match video type.

Data—Match data type.

H.323 Inspect Map

Configuration > Global Objects > Inspect Maps > H.323

The H.323 pane lets you view previously configured H.323 application inspection maps. An H.323 map lets you change the default configuration values used for H.323 application inspection.

H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, HSI groups, protocol state tracking, H.323 call duration enforcement, and audio/video control.

Fields

  • H.323 Inspect Maps—Table that lists the defined H.323 inspect maps.
  • Add—Configures a new H.323 inspect map. To edit an H.323 inspect map, choose the H.323 entry in the H.323 Inspect Maps table and click Customize.
  • Delete—Deletes the inspect map selected in the H.323 Inspect Maps table.
  • Security Level—Select the security level (low, medium, or high).

Low—Default.

State Checking h225 Disabled

State Checking ras Disabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance not enforced

Medium

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: no

High

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Enabled

Call duration Limit 1:00:00

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: yes

Phone Number Filtering—Opens the Phone Number Filtering dialog box to configure phone number filters.

Customize—Opens the Add/Edit H.323 Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

Phone Number Filtering

Configuration > Global Objects > Inspect Maps > H323 > Phone Number Filtering

The Phone Number Filtering dialog box lets you configure the settings for a phone number filter.

Fields

  • Match Type—Shows the match type, which can be a positive or negative match.
  • Criterion—Shows the criterion of the inspection.
  • Value—Shows the value to match in the inspection.
  • Action—Shows the action if the match condition is met.
  • Log—Shows the log state.
  • Add—Opens the Add Phone Number Filter dialog box to add a phone number filter.
  • Edit—Opens the Edit Phone Number Filter dialog box to edit a phone number filter.
  • Delete—Deletes a phone number filter.
  • Move Up—Moves an entry up in the list.
  • Move Down—Moves an entry down in the list.

Add/Edit H.323 Policy Map (Security Level)

Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Basic View

The Add/Edit H.323 Policy Map pane lets you configure the security level and additional settings for H.323 application inspection maps.

Fields

  • Name—When adding an H.323 map, enter the name of the H.323 map. When editing an H.323 map, the name of the previously configured H.323 map is shown.
  • Description—Enter the description of the H323 map, up to 200 characters in length.
  • Security Level—Select the security level (low, medium, or high).

Low—Default.

State Checking h225 Disabled

State Checking ras Disabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance not enforced

Medium

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: no

High

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Enabled

Call duration Limit 1:00:00

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: yes

Phone Number Filtering—Opens the Phone Number Filtering dialog box which lets you configure the settings for a phone number filter.

Default Level—Sets the security level back to the default.

  • Details—Shows the State Checking, Call Attributes, Tunneling and Protocol Conformance, HSI Group Parameters, and Inspections tabs to configure additional settings.

Add/Edit H.323 Policy Map (Details)

Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View

The Add/Edit H.323 Policy Map pane lets you configure the security level and additional settings for H.323 application inspection maps.

Fields

  • Name—When adding an H.323 map, enter the name of the H.323 map. When editing an H.323 map, the name of the previously configured H.323 map is shown.
  • Description—Enter the description of the H.323 map, up to 200 characters in length.
  • Security Level—Shows the security level and phone number filtering settings to configure.
  • State Checking—Tab that lets you configure state checking parameters for the H.323 inspect map.

Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages.

Check state transition of RAS messages—Enforces H.323 state checking on RAS messages.

Check RFC messages and open pinholes for call signal addresses in RFQ messages


Note You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint's IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0. By default, this option is disabled. You can enable this option by setting the option in the H.323 Inspect Map.


  • Call Attributes—Tab that lets you configure call attributes parameters for the H.323 inspect map.

Enforce call duration limit—Enforces the absolute limit on a call.

Call Duration Limit—Time limit for the call (hh:mm:ss).

Enforce presence of calling and called party numbers—Enforces sending call party numbers during call setup.

  • Tunneling and Protocol Conformance—Tab that lets you configure tunneling and protocol conformance parameters for the H.323 inspect map.

Check for H.245 tunneling—Allows H.245 tunneling.

Action—Drop connection or log.

Check RTP packets for protocol conformance—Checks RTP/RTCP packets on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio or video based on the signaling exchange.

  • HSI Group Parameters—Tab that lets you configure an HSI group.

HSI Group ID—Shows the HSI Group ID.

IP Address—Shows the HSI Group IP address.

Endpoints—Shows the HSI Group endpoints.

Add—Opens the Add HSI Group dialog box to add an HSI group.

Edit—Opens the Edit HSI Group dialog box to edit an HSI group.

Delete—Deletes an HSI group.

  • Inspections—Tab that shows you the H.323 inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the H.323 inspection.

Value—Shows the value to match in the H.323 inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add H.323 Inspect dialog box to add an H.323 inspection.

Edit—Opens the Edit H.323 Inspect dialog box to edit an H.323 inspection.

Delete—Deletes an H.323 inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Add/Edit HSI Group

Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View > Add/Edit HSI Group

The Add/Edit HSI Group dialog box lets you configure HSI Groups.

Fields

  • Group ID—Enter the HSI group ID.
  • IP Address—Enter the HSI IP address.
  • Endpoints—Lets you configure the IP address and interface of the endpoints.

IP Address—Enter an endpoint IP address.

Interface—Specifies an endpoint interface.

  • Add—Adds the HSI group defined.
  • Delete—Deletes the selected HSI group.

Add/Edit H.323 Map

Configuration > Global Objects > Inspect Maps > H232 > H323 Inspect Map > Advanced View > Add/Edit H323 Inspect

The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map.

Fields

  • Single Match—Specifies that the H.323 inspect has only one match statement.
  • Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.

  • Criterion—Specifies which criterion of H.323 traffic to match.

Called Party—Match the called party.

Calling Party—Match the calling party.

Media Type—Match the media type.

  • Called Party Criterion Values—Specifies to match on the H.323 called party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Calling Party Criterion Values—Specifies to match on the H.323 calling party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Media Type Criterion Values—Specifies which media type to match.

Audio—Match audio type.

Video—Match video type.

Data—Match data type.

  • Multiple Matches—Specifies multiple matches for the H.323 inspection.

H323 Traffic Class—Specifies the H.323 traffic class match.

Manage—Opens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class Maps.

  • Action—Drop packet, drop connection, or reset.

MGCP Inspection

This section describes MGCP application inspection. This section includes the following topics:

MGCP Inspection Overview

MGCP is a master/slave protocol used to control media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external (global) addresses. Examples of media gateways are:

  • Trunking gateways, that interface between the telephone network and a Voice over IP network. Such gateways typically manage a large number of digital circuits.
  • Residential gateways, that provide a traditional analog (RJ11) interface to a Voice over IP network. Examples of residential gateways include cable modem/cable set-top boxes, xDSL devices, broad-band wireless devices.
  • Business gateways, that provide a traditional digital PBX interface or an integrated soft PBX interface to a Voice over IP network.

Note To avoid policy failure when upgrading from ASA version 7.1, all layer 7 and layer 3 policies must have distinct names. For instance, a previously configured policy map with the same name as a previously configured MGCP map must be changed before the upgrade.


MGCP messages are transmitted over UDP. A response is sent back to the source address (IP address and UDP port number) of the command, but the response may not arrive from the same address as the command was sent to. This can happen when multiple call agents are being used in a failover configuration and the call agent that received the command has passed control to a backup call agent, which then sends the response. Figure 10-1 illustrates how NAT can be used with MGCP.

Figure 10-1 Using NAT with MGCP

 

MGCP endpoints are physical or virtual sources and destinations for data. Media gateways contain endpoints on which the call agent can create, modify and delete connections to establish and control media sessions with other multimedia endpoints. Also, the call agent can instruct the endpoints to detect certain events and generate signals. The endpoints automatically communicate changes in service state to the call agent.

MGCP transactions are composed of a command and a mandatory response. There are eight types of commands:

  • CreateConnection
  • ModifyConnection
  • DeleteConnection
  • NotificationRequest
  • Notify
  • AuditEndpoint
  • AuditConnection
  • RestartInProgress

The first four commands are sent by the call agent to the gateway. The Notify command is sent by the gateway to the call agent. The gateway may also send a DeleteConnection. The registration of the MGCP gateway with the call agent is achieved by the RestartInProgress command. The AuditEndpoint and the AuditConnection commands are sent by the call agent to the gateway.

All commands are composed of a Command header, optionally followed by a session description. All responses are composed of a Response header, optionally followed by a session description.

  • The port on which the gateway receives commands from the call agent. Gateways usually listen to UDP port 2427.
  • The port on which the call agent receives commands from the gateway. Call agents usually listen to UDP port 2727.

Note MGCP inspection does not support the use of different IP addresses for MGCP signaling and RTP data. A common and recommended practice is to send RTP data from a resilient IP address, such as a loopback or virtual IP address; however, the ASA requires the RTP data to come from the same address as MGCP signalling.


Select MGCP Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select MGCP Map

The Select MGCP Map dialog box lets you select or create a new MGCP map. An MGCP map lets you change the configuration values used for MGCP application inspection. The Select MGCP Map table provides a list of previously configured maps that you can select for application inspection.

Fields

  • Use the default MGCP inspection map—Specifies to use the default MGCP map.
  • Select an MGCP map for fine control over inspection Lets you select a defined application inspection map or add a new one.
  • Add—Opens the Add Policy Map dialog box for the inspection.

MGCP Inspect Map

Configuration > Global Objects > Inspect Maps > MGCP

The MGCP pane lets you view previously configured MGCP application inspection maps. An MGCP map lets you change the default configuration values used for MGCP application inspection. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.

Fields

  • MGCP Inspect Maps—Table that lists the defined MGCP inspect maps.
  • Add—Configures a new MGCP inspect map.
  • Edit—Edits the selected MGCP entry in the MGCP Inspect Maps table.
  • Delete—Deletes the inspect map selected in the MGCP Inspect Maps table.

Gateways and Call Agents

Configuration > Global Objects > Inspect Maps > MGCP > Gateways and Call Agents

The Gateways and Call Agents dialog box lets you configure groups of gateways and call agents for the map.

Fields

  • Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647Criterion—Shows the criterion of the inspection.
  • Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.
  • Call Agents—Identifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.
  • Add—Displays the Add MGCP dialog box, which you can use to define a new application inspection map.
  • Edit—Displays the Edit MGCP dialog box, which you can use to modify the application inspection map selected in the application inspection map table.
  • Delete—Deletes the application inspection map selected in the application inspection map table.

Add/Edit MGCP Policy Map

Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > View

The Add/Edit MGCP Policy Map pane lets you configure the command queue, gateway, and call agent settings for MGCP application inspection maps.

Fields

  • Name—When adding an MGCP map, enter the name of the MGCP map. When editing an MGCP map, the name of the previously configured MGCP map is shown.
  • Description—Enter the description of the MGCP map, up to 200 characters in length.
  • Command Queue—Tab that lets you specify the permitted queue size for MGCP commands.

Command Queue Size—Specifies the maximum number of commands to queue. The valid range is from 1 to 2147483647.

  • Gateways and Call Agents—Tab that lets you configure groups of gateways and call agents for this map.

Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647Criterion—Shows the criterion of the inspection.

Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.

Call Agents—Identifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.

Add—Displays the Add MGCP Group dialog box, which you can use to define a new MGCP group of gateways and call agents.

Edit—Displays the Edit MGCP dialog box, which you can use to modify the MGCP group selected in the Gateways and Call Agents table.

Delete—Deletes the MGCP group selected in the Gateways and Call Agents table.

Add/Edit MGCP Group

Configuration > Global Objects > Inspect Maps > MGCP > Add/Edit MGCP Group

The Add/Edit MGCP Group dialog box lets you define the configuration of an MGCP group that will be used when MGCP application inspection is enabled.

Fields

  • Group ID—Specifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The valid range is from 0 to 2147483647.

Gateway to Be Added—Specifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.

Add—Adds the specified IP address to the IP address table.

Delete—Deletes the selected IP address from the IP address table.

IP Address—Lists the IP addresses of the gateways in the call agent group.

  • Call Agents

Call Agent to Be Added—Specifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.

Add—Adds the specified IP address to the IP address table.

Delete—Deletes the selected IP address from the IP address table.

IP Address—Lists the IP addresses of the call agents in the call agent group.

RTSP Inspection

This section describes RTSP application inspection. This section includes the following topics:

RTSP Inspection Overview

The RTSP inspection engine lets the ASA pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections.


Note For Cisco IP/TV, use RTSP TCP port 554 and TCP 8554.


RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The ASA only supports TCP, in conformity with RFC 2326. This TCP control channel is used to negotiate the data channels that is used to transmit audio/video traffic, depending on the transport mode that is configured on the client.

The supported RDT transports are: rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp.

The ASA parses Setup response messages with a status code of 200. If the response message is travelling inbound, the server is outside relative to the ASA and dynamic channels need to be opened for connections coming inbound from the server. If the response message is outbound, then the ASA does not need to open dynamic channels.

Because RFC 2326 does not require that the client and server ports must be in the SETUP response message, the ASA keeps state and remembers the client ports in the SETUP message. QuickTime places the client ports in the SETUP message and then the server responds with only the server ports.

RTSP inspection does not support PAT or dual-NAT. Also, the ASA cannot recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.

Using RealPlayer

When using RealPlayer, it is important to properly configure transport mode. For the ASA, add an access-list command from the server to the client or vice versa. For RealPlayer, change transport mode by clicking Options > Preferences > Transport > RTSP Settings.

If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the ASA, there is no need to configure the inspection engine.

If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes, and for live content not available via Multicast. On the ASA, add an inspect rtsp port command.

Restrictions and Limitations

The following restrictions apply to the RSTP inspection.

  • The ASA does not support multicast RTSP or RTSP messages over UDP.
  • The ASA does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.
  • The ASA cannot perform NAT on RTSP messages because the embedded IP addresses are contained in the SDP files as part of HTTP or RTSP messages. Packets could be fragmented and ASA cannot perform NAT on fragmented packets.
  • With Cisco IP/TV, the number of translates the ASA performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).
  • You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT if the Viewer and Content Manager are on the outside network and the server is on the inside network.

Select RTSP Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select NetBIOS Map

The Select RTSP Map dialog box lets you select or create a new RTSP map. An RTSP map lets you change the configuration values used for RTSP application inspection. The Select RTSP Map table provides a list of previously configured maps that you can select for application inspection.

Fields

  • Use the default RTSP inspection map—Specifies to use the default RTSP inspection map.
  • Select a RTSP inspect map for fine control over inspection Lets you select a defined application inspection map or add a new one.
  • Add—Opens the Add Policy Map dialog box for the inspection.

RTSP Inspect Map

Configuration > Global Objects > Inspect Maps > RADIUS

The RTSP pane lets you view previously configured RTSP application inspection maps. An RTSP map lets you change the default configuration values used for RTSP application inspection. You can use an RTSP map to protect RTSP traffic.

Fields

  • RTSP Inspect Maps—Table that lists the defined RTSP inspect maps.
  • Add—Configures a new RTSP inspect map.
  • Edit—Edits the selected RTSP entry in the RTSP Inspect Maps table.
  • Delete—Deletes the inspect map selected in the RTSP Inspect Maps table.

Add/Edit RTSP Policy Map

Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > View

The Add/Edit RTSP Policy Map pane lets you configure the parameters and inspections settings for RTSP application inspection maps.

Fields

  • Name—When adding an RTSP map, enter the name of the RTSP map. When editing an RTSP map, the name of the previously configured RTSP map is shown.
  • Description—Enter the description of the RTSP map, up to 200 characters in length.
  • Parameters—Tab that lets you restrict usage on reserved ports during media port negotiation, and lets you set the URL length limit.

Enforce Reserve Port Protection—Lets you restrict the use of reserved ports during media port negotiation.

Maximum URL Length—Specifies the maximum length of the URL allowed in the message. Maximum value is 6000.

  • Inspections—Tab that shows you the RTSP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the RTSP inspection.

Value—Shows the value to match in the RTSP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add RTSP Inspect dialog box to add a RTSP inspection.

Edit—Opens the Edit RTSP Inspect dialog box to edit a RTSP inspection.

Delete—Deletes a RTSP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

RTSP Class Map

Configuration > Firewall > Objects > Class Maps > RTSP

The RTSP Class Map pane lets you configure RTSP class maps for RTSP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, SIP, and RTSP.

Fields

  • Name—Shows the RTSP class map name.
  • Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the RTSP class map.

Value—Shows the value to match in the RTSP class map.

  • Description—Shows the description of the class map.
  • Add—Adds a RTSP class map.
  • Edit—Edits a RTSP class map.
  • Delete—Deletes a RTSP class map.

Add/Edit RTSP Traffic Class Map

Configuration > Firewall > Objects > Class Maps > RTSP > Add/Edit RTSP Traffic Class Map

The Add/Edit RTSP Traffic Class Map dialog box lets you define the match criterion, values, and actions for the RTSP traffic class map.

Fields

  • Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.

  • Criterion—Specifies which criterion of RTSP traffic to match.

URL Filter—Match URL filtering.

Request Method—Match an RTSP request method.

  • URL Filter Criterion Values—Specifies to match URL filtering. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • URL Filter Actions—Primary action and log settings.

Action—Drop connection or log.

Log—Enable or disable.

  • Request Method Criterion Values—Specifies to match an RTSP request method.

Request Method—Specifies a request method: announce, describe, get_parameter, options, pause, play, record, redirect, setup, set_parameters, teardown.

  • Request Method Actions—Primary action settings.

Action—Limit rate (pps).

SIP Inspection

This section describes SIP application inspection. This section includes the following topics:

SIP Inspection Overview

SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the ASA can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs:

  • SIP: Session Initiation Protocol, RFC 3261
  • SDP: Session Description Protocol, RFC 2327

To support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

The following limitations and restrictions apply when using PAT with SIP:

  • If a remote endpoint tries to register with a SIP proxy on a network protected by the ASA, the registration fails under very specific conditions, as follows:

PAT is configured for the remote endpoint.

The SIP registrar server is on the outside network.

The port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server.

Configuring static PAT is not supported with SIP inspection. If static PAT is configured for the Cisco Unified Communications Manager, SIP inspection cannot rewrite the SIP packet. Configure one-to-one static NAT for the Cisco Unified Communications Manager.

  • If a SIP device transmits a packet in which the SDP portion has an IP address in the owner/creator field (o=) that is different than the IP address in the connection field (c=), the IP address in the o= field may not be properly translated. This is due to a limitation in the SIP protocol, which does not provide a port value in the o= field.
  • When using PAT, any SIP header field which contains an internal IP address without a port might not be translated and hence the internal IP address will be leaked outside. If you want to avoid this leakage, configure NAT instead of PAT.

SIP Instant Messaging

Instant Messaging refers to the transfer of messages between users in near real-time. SIP supports the Chat feature on Windows XP using Windows Messenger RTC Client version 4.7.0105 only. The MESSAGE/INFO methods and 202 Accept response are used to support IM as defined in the following RFCs:

  • Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265
  • Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428

MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value. This value must be configured at least five minutes longer than the subscription duration. The subscription duration is defined in the Contact Expires value and is typically 30 minutes.

Because MESSAGE/INFO requests are typically sent using a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine.


Note Only the Chat feature is currently supported. Whiteboard, File Transfer, and Application Sharing are not supported. RTC Client 5.0 is not supported.


SIP inspection translates the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen.

SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload. These indices identify the call, the source, and the destination. This database contains the media addresses and media ports found in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. The ASA opens RTP/RTCP connections between the two endpoints using these media addresses/ports.

The well-known port 5060 must be used on the initial call setup (INVITE) message; however, subsequent messages may not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be translated.

As a call is set up, the SIP session is in the “transient” state until the media address and media port is received from the called endpoint in a Response message indicating the RTP port the called endpoint listens on. If there is a failure to receive the response messages within one minute, the signaling connection is torn down.

Once the final handshake is made, the call state is moved to active and the signaling connection remains until a BYE message is received.

If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface does not traverse the ASA, unless the ASA configuration specifically allows it.

Select SIP Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SIP Map

The Select SIP Map dialog box lets you select or create a new SIP map. A SIP map lets you change the configuration values used for SIP application inspection. The Select SIP Map table provides a list of previously configured maps that you can select for application inspection.

Fields

  • Use the default SIP inspection map—Specifies to use the default SIP map.
  • Select a SIP map for fine control over inspection Lets you select a defined application inspection map or add a new one.
  • Add—Opens the Add Policy Map dialog box for the inspection.
  • Enable encrypted traffic inspection check box—Select to enable the radio buttons to select a proxy type.
  • Proxy Type

TLS Proxy radio button—Use TLS Proxy to enable inspection of encrypted traffic.

Phone Proxy radio button—Specifies to associate the Phone Proxy with the TLS Proxy that you select from the TLS Proxy Name field.

Configure button—Opens the Configure the Phone Proxy dialog box so that you can specify or edit Phone Proxy configuration settings.

UC-IME Proxy ratio button—Specifies to associate the UC-IME Proxy (Cisco Intercompany Media Engine proxy) with the TLS Proxy that you select from the TLS Proxy Name field.

Configure button—Opens the Configure the UC-IME Proxy dialog box so that you can specify or edit UC-IME Proxy configuration settings.

  • TLS Proxy Name:—Name of existing TLS Proxy.
  • Manage—Opens the Add TLS Proxy dialog box to add a TLS Proxy.

Only one TLS proxy can be assigned to the Phone Proxy or UC-IME Proxy at a time. If you configure more than one service policy rule for Phone Proxy or UC-IME Proxy inspection and attempt to assign a different TLS proxy to them, ASDM displays a warning that all other service policy rules with Phone Proxy or UC-IME inspection will be changed to use the latest selected TLS proxy.

The UC-IME Proxy configuration requires two TLS proxies – one for outbound traffic and one for inbound. Rather than associating the TLS proxies directly with the UC-IME Proxy, as is the case with phone proxy, the TLS proxies are associated with it indirectly via SIP inspection rules.

You associate a TLS proxy with the Phone Proxy while defining a SIP inspection action. ASDM will convert the association to the existing phone proxy.

SIP Class Map

Configuration > Global Objects > Class Maps > SIP

The SIP Class Map pane lets you configure SIP class maps for SIP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

  • Name—Shows the SIP class map name.
  • Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the SIP class map.

Value—Shows the value to match in the SIP class map.

  • Description—Shows the description of the class map.
  • Add—Adds a SIP class map.
  • Edit—Edits a SIP class map.
  • Delete—Deletes a SIP class map.

Add/Edit SIP Traffic Class Map

Configuration > Global Objects > Class Maps > SIP > Add/Edit SIP Traffic Class Map

The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map.

Fields

  • Name—Enter the name of the SIP class map, up to 40 characters in length.
  • Description—Enter the description of the SIP class map.
  • Add—Adds a SIP class map.
  • Edit—Edits a SIP class map.
  • Delete—Deletes a SIP class map.

Add/Edit SIP Match Criterion

Configuration > Global Objects > Class Maps > SIP > Add/Edit SIP Traffic Class Map > Add/Edit SIP Match Criterion

The Add/Edit SIP Match Criterion dialog box lets you define the match criterion and value for the SIP class map.

Fields

  • Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.

  • Criterion—Specifies which criterion of SIP traffic to match.

Called Party—Match the called party as specified in the To header.

Calling Party—Match the calling party as specified in the From header.

Content Length—Match the Content Length header, between 0 and 65536.

Content Type—Match the Content Type header.

IM Subscriber—Match the SIP IM subscriber.

Message Path—Match the SIP Via header.

Request Method—Match the SIP request method.

Third-Party Registration—Match the requester of a third-party registration.

URI Length—Match a URI in the SIP headers, between 0 and 65536.

  • Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified.

Greater Than Length—Enter a header length value in bytes.

  • Content Type Criterion Values—Specifies to match a SIP content header type.

SDP—Match an SDP SIP content header type.

Regular Expression—Match a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Request Method Criterion Values—Specifies to match a SIP request method.

Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update.

  • Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • URI Length Criterion Values—Specifies to match a URI of a selected type and greater than the specified length in the SIP headers.

URI type—Specifies to match either SIP URI or TEL URI.

Greater Than Length—Length in bytes.

SIP Inspect Map

Configuration > Global Objects > Inspect Maps > SIP

The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection.

SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats.

SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.

Fields

  • SIP Inspect Maps—Table that lists the defined SIP inspect maps.
  • Add—Configures a new SIP inspect map. To edit a SIP inspect map, choose the SIP entry in the SIP Inspect Maps table and click Customize.
  • Delete—Deletes the inspect map selected in the SIP Inspect Maps table.
  • Security Level—Select the security level (high or low).

Low—Default.

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Permitted.

Hide server’s and endpoint’s IP addresses: Disabled.

Mask software version and non-SIP URIs: Disabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Not enforced.

SIP conformance: Do not perform state checking and header validation.

Medium

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Permitted.

Hide server’s and endpoint’s IP addresses: Disabled.

Mask software version and non-SIP URIs: Disabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: No

SIP conformance: Drop packets that fail state checking.

High

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Denied.

Hide server’s and endpoint’s IP addresses: Disabled.

Mask software version and non-SIP URIs: Enabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: Yes

SIP conformance: Drop packets that fail state checking and packets that fail header validation.

Customize—Opens the Add/Edit SIP Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

Add/Edit SIP Policy Map (Security Level)

Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Basic View

The Add/Edit SIP Policy Map pane lets you configure the security level and additional settings for SIP application inspection maps.

Fields

  • Name—When adding a SIP, enter the name of the SIP map. When editing a SIP map, the name of the previously configured SIP map is shown.
  • Description—Enter the description of the SIP map, up to 200 characters in length.
  • Security Level—Select the security level (high or low).

Low—Default.

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Permitted.

Hide server’s and endpoint’s IP addresses: Disabled.

Mask software version and non-SIP URIs: Disabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Not enforced.

SIP conformance: Do not perform state checking and header validation.

Medium

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Permitted.

Hide server’s and endpoint’s IP addresses: Disabled.

Mask software version and non-SIP URIs: Disabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: No

SIP conformance: Drop packets that fail state checking.

High

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Denied.

Hide server’s and endpoint’s IP addresses: Disabled.

Mask software version and non-SIP URIs: Enabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: Yes

SIP conformance: Drop packets that fail state checking and packets that fail header validation.

Default Level—Sets the security level back to the default.

  • Details—Shows additional filtering, IP address privacy, hop count, RTP conformance, SIP conformance, field masking, and inspections settings to configure.

Add/Edit SIP Policy Map (Details)

Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Advanced View

The Add/Edit SIP Policy Map pane lets you configure the security level and additional settings for SIP application inspection maps.

Fields

  • Name—When adding a SIP, enter the name of the SIP map. When editing a SIP map, the name of the previously configured SIP map is shown.
  • Description—Enter the description of the SIP map, up to 200 characters in length.
  • Security Level—Shows the security level settings to configure
  • Filtering—Tab that lets you configure the filtering settings for SIP.

Enable SIP instant messaging (IM) extensions—Enables Instant Messaging extensions. Default is enabled.

Permit non-SIP traffic on SIP port—Permits non-SIP traffic on SIP port. Permitted by default.

  • IP Address Privacy—Tab that lets you configure the IP address privacy settings for SIP.

Hide server’s and endpoint’s IP addresses—Enables IP address privacy. Disabled by default.

  • Hop Count—Tab that lets you configure the hop count settings for SIP.

Ensure that number of hops to destination is greater than 0—Enables check for the value of Max-Forwards header is zero.

Action—Drop packet, Drop Connection, Reset, Log.

Log—Enable or Disable.

  • RTP Conformance—Tab that lets you configure the RTP conformance settings for SIP.

Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces payload type to be audio/video based on the signaling exchange.

  • SIP Conformance—Tab that lets you configure the SIP conformance settings for SIP.

Enable state transition checking—Enables SIP state checking.

Action—Drop packet, Drop Connection, Reset, Log.

Log—Enable or Disable.

Enable strict validation of header fields—Enables validation of SIP header fields.

Action—Drop packet, Drop Connection, Reset, Log.

Log—Enable or Disable.

  • Field Masking—Tab that lets you configure the field masking settings for SIP.

Inspect non-SIP URIs—Enables non-SIP URI inspection in Alert-Info and Call-Info headers.

Action—Mask or Log.

Log—Enable or Disable.

Inspect server’s and endpoint’s software version—Inspects SIP endpoint software version in User-Agent and Server headers.

Action—Mask or Log.

Log—Enable or Disable.

  • Inspections—Tab that shows you the SIP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the SIP inspection.

Value—Shows the value to match in the SIP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add SIP Inspect dialog box to add a SIP inspection.

Edit—Opens the Edit SIP Inspect dialog box to edit a SIP inspection.

Delete—Deletes a SIP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Add/Edit SIP Inspect

Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Advanced View > Add/Edit SIP Inspect

The Add/Edit SIP Inspect dialog box lets you define the match criterion and value for the SIP inspect map.

Fields

  • Single Match—Specifies that the SIP inspect has only one match statement.
  • Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.

  • Criterion—Specifies which criterion of SIP traffic to match.

Called Party—Match a called party as specified in the To header.

Calling Party—Match a calling party as specified in the From header.

Content Length—Match a content length header.

Content Type—Match a content type header.

IM Subscriber—Match a SIP IM subscriber.

Message Path—Match a SIP Via header.

Request Method—Match a SIP request method.

Third-Party Registration—Match the requester of a third-party registration.

URI Length—Match a URI in the SIP headers.

  • Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified.

Greater Than Length—Enter a header length value in bytes.

  • Content Type Criterion Values—Specifies to match a SIP content header type.

SDP—Match an SDP SIP content header type.

Regular Expression—Match a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • Request Method Criterion Values—Specifies to match a SIP request method.

Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update.

  • Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

  • URI Length Criterion Values—Specifies to match a URI in the SIP headers greater than specified length.

URI type—Specifies to match either SIP URI or TEL URI.

Greater Than Length—Length in bytes.

  • Multiple Matches—Specifies multiple matches for the SIP inspection.

SIP Traffic Class—Specifies the SIP traffic class match.

Manage—Opens the Manage SIP Class Maps dialog box to add, edit, or delete SIP Class Maps.

  • Actions—Primary action and log settings.

Action—Drop packet, drop connection, reset, log. Note: Limit rate (pps) action is available for request methods invite and register.

Log—Enable or disable.

Skinny (SCCP) Inspection

This section describes SCCP application inspection. This section includes the following topics:

SCCP Inspection Overview


Note For specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified Communications architecture and supports IP phone deployment, see Chapter15, “Cisco Phone Proxy”.


Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals.

The ASA supports PAT and NAT for SCCP. PAT is necessary if you have more IP phones than global IP addresses for the IP phones to use. By supporting NAT and PAT of SCCP Signaling packets, Skinny application inspection ensures that all SCCP signalling and media packets can traverse the ASA.

Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration. The ASA also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.


Note The ASA supports inspection of traffic from Cisco IP Phones running SCCP protocol version 19 and earlier.


Supporting Cisco IP Phones


Note For specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified Communications architecture and supports IP phone deployment, see Chapter15, “Cisco Phone Proxy”


In topologies where Cisco CallManager is located on the higher security interface with respect to the Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its configuration. An static identity entry allows the Cisco CallManager on the higher security interface to accept registrations from the Cisco IP Phones.

Cisco IP Phones require access to a TFTP server to download the configuration information they need to connect to the Cisco CallManager server.

When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry. When using NAT, an identity static entry maps to the same IP address. When using PAT, it maps to the same IP address and port.

When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager, no ACL or static entry is required to allow the Cisco IP Phones to initiate the connection.

Restrictions and Limitations

The following are limitations that apply to the current version of PAT and NAT support for SCCP:

  • PAT does not work with configurations containing the alias command.
  • Outside NAT or PAT is not supported.

If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address or port, registrations for external Cisco IP Phones fail because the ASA currently does not support NAT or PAT for the file content transferred over TFTP. Although the ASA supports NAT of TFTP messages and opens a pinhole for the TFTP file, the ASA cannot translate the Cisco CallManager IP address and port embedded in the Cisco IP Phone configuration files that are transferred by TFTP during phone registration.


Note The ASA supports stateful failover of SCCP calls except for calls that are in the middle of call setup.


Select SCCP (Skinny) Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SCCP Map

The Select SCCP (Skinny) Map dialog box lets you select or create a new SCCP (Skinny) map. An SCCP (Skinny) map lets you change the configuration values used for SCCP (Skinny) application inspection. The Select SCCP (Skinny) Map table provides a list of previously configured maps that you can select for application inspection.

Fields

  • Use the default SCCP (Skinny) inspection map—Specifies to use the default SCCP (Skinny) map.
  • Select an SCCP (Skinny) map for fine control over inspection Lets you select a defined application inspection map or add a new one.
  • Add—Opens the Add Policy Map dialog box for the inspection.
  • Encrypted Traffic Inspection—Lets you specify TLS proxy settings for the inspect map.

Do not inspect Encrypted Traffic—Disables the inspection of Skinny application inspection.

Use Phone Proxy to enable inspection of encrypted traffic—Uses the Phone Proxy configured on the ASA to inspect Skinny application traffic. See Chapter15, “Cisco Phone Proxy”

Use TLS Proxy to enable inspection of encrypted traffic—Specifies to use Transaction Layer Security Proxy to enable inspection of encryped traffic.

TLS Proxy Name:—Name of existing TLS Proxy.

New—Opens the Add TLS Proxy dialog box to add a TLS Proxy.

SCCP (Skinny) Inspect Map

Configuration > Global Objects > Inspect Maps > SCCP (Skinny)

The SCCP (Skinny) pane lets you view previously configured SCCP (Skinny) application inspection maps. An SCCP (Skinny) map lets you change the default configuration values used for SCCP (Skinny) application inspection.

Skinny application inspection performs translation of embedded IP address and port numbers within the packet data, and dynamic opening of pinholes. It also performs additional protocol conformance checks and basic state tracking.

Fields

  • SCCP (Skinny) Inspect Maps—Table that lists the defined SCCP (Skinny) inspect maps.
  • Add—Configures a new SCCP (Skinny) inspect map. To edit an SCCP (Skinny) inspect map, choose the SCCP (Skinny) entry in the SCCP (Skinny) Inspect Maps table and click Customize.
  • Delete—Deletes the inspect map selected in the SCCP (Skinny) Inspect Maps table.
  • Security Level—Select the security level (high or low).

Low—Default.

Registration: Not enforced.

Maximum message ID: 0x181.

Minimum prefix length: 4

Media timeout: 00:05:00

Signaling timeout: 01:00:00.

RTP conformance: Not enforced.

Medium

Registration: Not enforced.

Maximum message ID: 0x141.

Minimum prefix length: 4.

Media timeout: 00:01:00.

Signaling timeout: 00:05:00.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: No.

High

Registration: Enforced.

Maximum message ID: 0x141.

Minimum prefix length: 4.

Maximum prefix length: 65536.

Media timeout: 00:01:00.

Signaling timeout: 00:05:00.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: Yes.

Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters.

Customize—Opens the Add/Edit SCCP (Skinny) Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

Message ID Filtering

Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > Message ID Filtering

The Message ID Filtering dialog box lets you configure the settings for a message ID filter.

Fields

  • Match Type—Shows the match type, which can be a positive or negative match.
  • Criterion—Shows the criterion of the inspection.
  • Value—Shows the value to match in the inspection.
  • Action—Shows the action if the match condition is met.
  • Log—Shows the log state.
  • Add—Opens the Add Message ID Filtering dialog box to add a message ID filter.
  • Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter.
  • Delete—Deletes a message ID filter.
  • Move Up—Moves an entry up in the list.
  • Move Down—Moves an entry down in the list.

Add/Edit SCCP (Skinny) Policy Map (Security Level)

Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Basic View

The Add/Edit SCCP (Skinny) Policy Map pane lets you configure the security level and additional settings for SCCP (Skinny) application inspection maps.

Fields

  • Name—When adding an SCCP (Skinny) map, enter the name of the SCCP (Skinny) map. When editing an SCCP (Skinny) map, the name of the previously configured SCCP (Skinny) map is shown.
  • Description—Enter the description of the SCCP (Skinny) map, up to 200 characters in length.
  • Security Level—Select the security level (high or low).

Low—Default.

Registration: Not enforced.

Maximum message ID: 0x181.

Minimum prefix length: 4

Media timeout: 00:05:00

Signaling timeout: 01:00:00.

RTP conformance: Not enforced.

Medium

Registration: Not enforced.

Maximum message ID: 0x141.

Minimum prefix length: 4.

Media timeout: 00:01:00.

Signaling timeout: 00:05:00.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: No.

High

Registration: Enforced.

Maximum message ID: 0x141.

Minimum prefix length: 4.

Maximum prefix length: 65536.

Media timeout: 00:01:00.

Signaling timeout: 00:05:00.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: Yes.

Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters.

Default Level—Sets the security level back to the default.

  • Details—Shows additional parameter, RTP conformance, and message ID filtering settings to configure.

Add/Edit SCCP (Skinny) Policy Map (Details)

Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Advanced View

The Add/Edit SCCP (Skinny) Policy Map pane lets you configure the security level and additional settings for SCCP (Skinny) application inspection maps.

Fields

  • Name—When adding an SCCP (Skinny) map, enter the name of the SCCP (Skinny) map. When editing an SCCP (Skinny) map, the name of the previously configured SCCP (Skinny) map is shown.
  • Description—Enter the description of the DNS map, up to 200 characters in length.
  • Security Level—Shows the security level and message ID filtering settings to configure.
  • Parameters—Tab that lets you configure the parameter settings for SCCP (Skinny).

Enforce endpoint registration—Enforce that Skinny endpoints are registered before placing or receiving calls.

Maximum Message ID—Specify value of maximum SCCP message ID allowed.

SCCP Prefix Length—Specifies prefix length value in Skinny messages.

Minimum Prefix Length—Specify minimum value of SCCP prefix length allowed.

Maximum Prefix Length—Specify maximum value of SCCP prefix length allowed.

Media Timeout—Specify timeout value for media connections.

Signaling Timeout—Specify timeout value for signaling connections.

  • RTP Conformance—Tab that lets you configure the RTP conformance settings for SCCP (Skinny).

Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio/video based on the signaling exchange.

  • Message ID Filtering—Tab that lets you configure the message ID filtering settings for SCCP (Skinny).

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add Message ID Filtering dialog box to add a message ID filter.

Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter.

Delete—Deletes a message ID filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Add/Edit Message ID Filter

Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Advanced View > Add/Edit Message ID Filter

The Add Message ID Filter dialog box lets you configure message ID filters.

Fields

  • Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.

  • Criterion—Specifies which criterion of SCCP (Skinny) traffic to match.

Message ID—Match specified message ID.

Message ID—Specify value of maximum SCCP message ID allowed.

Message ID Range—Match specified message ID range.

Lower Message ID—Specify lower value of SCCP message ID allowed.

Upper Message ID—Specify upper value of SCCP message ID allowed.

  • Action—Drop packet.
  • Log—Enable or disable.