Cisco Asdm 7 User Guide

							 
11-57
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
–Action—Shows the action if the match condition is met.
–Log—Shows the log state.
–Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP inspection.
–Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection.
–Delete—Deletes an ESMTP inspection.
–Move Up—Moves an inspection up in the list.
–Move Down—Moves an inspection down in the list.
Add/Edit ESMTP Inspect 
The Add/Edit ESMTP Inspect dialog box is accessible as follows:
Configuration > Global Objects  > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced 
View  > Add/Edit ESMTP Inspect
The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP 
inspect map.
Fields
Match Type—Specifies whether traffic should match or not match the values. 
For example, if No Match is selected on the string “example.com,” then any traffic that contains 
“example.com” is excluded from the class map.
Criterion—Specifies which criterion of ESMTP traffic to match.
–Body Length—Match body length at specified length in bytes.
–Body Line Length—Match body line length matching at specified length in bytes.
–Commands—Match commands exchanged in the ESMTP protocol.
–Command Recipient Count—Match command recipient count greater than number specified.
–Command Line Length—Match command line length greater than length specified in bytes.
–EHLO Reply Parameters—Match an ESMTP ehlo reply parameter.
–Header Length—Match header length at length specified in bytes.
–Header To Fields Count—Match header To fields count greater than number specified.
–Invalid Recipients Count—Match invalid recipients count greater than number specified.
–MIME File Type—Match MIME file type.
–MIME Filename Length—Match MIME filename.
–MIME Encoding—Match MIME encoding.
–Sender Address—Match sender email address.
–Sender Address Length—Match sender email address length.
Body Length Criterion Values—Specifies the value details for body length match.
–Greater Than Length—Body length in bytes.
–Action—Reset, drop connection, log.
–Log—Enable or disable. 
						

							 
11-58
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
Body Line Length Criterion Values—Specifies the value details for body line length match.
–Greater Than Length—Body line length in bytes.
–Action—Reset, drop connection, log.
–Log—Enable or disable.
Commands Criterion Values—Specifies the value details for command match.
–Available Commands Table:
AU T H
DATA
EHLO
ETRN
HELO
HELP
MAIL
NOOP
QUIT
RCPT
RSET
SAML
SOML
VRFY
–Add—Adds the selected command from the Available Commands table to the Selected 
Commands table.
–Remove—Removes the selected command from the Selected Commands table.
–Primary Action—Mask, Reset, Drop Connection, None, Limit Rate (pps).
–Log—Enable or disable.
–Rate Limit—Do not limit rate, Limit Rate (pps).
Command Recipient Count Criterion Values—Specifies the value details for command recipient 
count match.
–Greater Than Count—Specify command recipient count.
–Action—Reset, drop connection, log.
–Log—Enable or disable.
Command Line Length Criterion Values—Specifies the value details for command line length.
–Greater Than Length—Command line length in bytes.
–Action—Reset, drop connection, log.
–Log—Enable or disable.
EHLO Reply Parameters Criterion Values—Specifies the value details for EHLO reply parameters 
match.
–Available Parameters Table: 
						

							 
11-59
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  SMTP and Extended SMTP Inspection
8bitmime
auth
binarymime
checkpoint
dsn
ecode
etrn
others
pipelining
size
vrfy
–Add—Adds the selected parameter from the Available Parameters table to the Selected 
Parameters table.
–Remove—Removes the selected command from the Selected Commands table.
–Action—Reset, Drop Connection, Mask, Log.
–Log—Enable or disable.
Header Length Criterion Values—Specifies the value details for header length match.
–Greater Than Length—Header length in bytes.
–Action—Reset, Drop Connection, Mask, Log.
–Log—Enable or disable.
Header To Fields Count Criterion Values—Specifies the value details for header To fields count 
match.
–Greater Than Count—Specify command recipient count.
–Action—Reset, drop connection, log.
–Log—Enable or disable.
Invalid Recipients Count Criterion Values—Specifies the value details for invalid recipients count 
match.
–Greater Than Count—Specify command recipient count.
–Action—Reset, drop connection, log.
–Log—Enable or disable.
MIME File Type Criterion Values—Specifies the value details for MIME file type match.
–Regular Expression—Lists the defined regular expressions to match.
–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
expressions.
–Regular Expression Class—Lists the defined regular expression classes to match.
–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
regular expression class maps.
–Action—Reset, drop connection, log.
–Log—Enable or disable. 
						

							 
11-60
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  TFTP Inspection
MIME Filename Length Criterion Values—Specifies the value details for MIME filename length 
match.
–Greater Than Length—MIME filename length in bytes.
–Action—Reset, Drop Connection, Log.
–Log—Enable or disable.
MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.
–Available Encodings table
7bit
8bit
base64
binary
others
quoted-printable
–Add—Adds the selected parameter from the Available Encodings table to the Selected 
Encodings table.
–Remove—Removes the selected command from the Selected Commands table.
–Action—Reset, Drop Connection, Log.
–Log—Enable or disable.
Sender Address Criterion Values—Specifies the value details for sender address match.
–Regular Expression—Lists the defined regular expressions to match.
–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
expressions.
–Regular Expression Class—Lists the defined regular expression classes to match.
–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
regular expression class maps.
–Action—Reset, Drop Connection, Log.
–Log—Enable or disable.
Sender Address Length Criterion Values—Specifies the value details for sender address length 
match.
–Greater Than Length—Sender address length in bytes.
–Action—Reset, Drop Connection, Log.
–Log—Enable or disable.
TFTP Inspection
TFTP inspection is enabled by default.
TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and 
client.  
						

							 
11-61
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  TFTP Inspection
The ASA inspects TFTP traffic and dynamically creates connections and translations, if necessary, to 
permit file transfer between a TFTP client and server. Specifically, the inspection engine inspects TFTP 
read request (RRQ), write request (WRQ), and error notification (ERROR).
A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid 
read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file 
transfer or error notification.
Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete 
secondary channel can exist between the TFTP client and server. An error notification from the server 
closes the secondary channel.
TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic. 
						

							 
11-62
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  TFTP Inspection 
						

							CH A P T E R
 
12-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
12
Configuring Inspection for Voice and Video 
Protocols
This chapter describes how to configure application layer protocol inspection. Inspection engines are 
required for services that embed IP addressing information in the user data packet or that open secondary 
channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection 
instead of passing the packet through the fast path. As a result, inspection engines can affect overall 
throughput.
Several common inspection engines are enabled on the ASA by default, but you might need to enable 
others depending on your network. 
This chapter includes the following sections:
CTIQBE Inspection, page 12-1
H.323 Inspection, page 12-2
MGCP Inspection, page 12-12
RTSP Inspection, page 12-16
SIP Inspection, page 12-20
Skinny (SCCP) Inspection, page 12-32
CTIQBE Inspection
This section describes CTIQBE application inspection. This section includes the following topics:
CTIQBE Inspection Overview, page 12-1
Limitations and Restrictions, page 12-2
CTIQBE Inspection Overview
CTIQBE protocol inspection supports NAT, PAT, and bidirectional NAT. This enables Cisco IP 
SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for 
call setup across the ASA.
TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to 
communicate with Cisco CallManager. 
						

							 
12-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 12      Configuring Inspection for Voice and Video Protocols
  H.323 Inspection
Limitations and Restrictions
The following summarizes limitations that apply when using CTIQBE application inspection:
CTIQBE application inspection does not support configurations with the alias command.
Stateful failover of CTIQBE calls is not supported.
Debugging CTIQBE inspection may delay message transmission, which may have a performance 
impact in a real-time environment. When you enable this debugging or logging and 
Cisco IP SoftPhone seems unable to complete call setup through the ASA, increase the timeout 
values in the Cisco TSP settings on the system running Cisco IP SoftPhone.
The following summarizes special considerations when using CTIQBE application inspection in specific 
scenarios:
If two Cisco IP SoftPhones are registered with different Cisco CallManagers, which are connected 
to different interfaces of the ASA, calls between these two phones fails.
When Cisco CallManager is located on the higher security interface compared to 
Cisco IP SoftPhones, if NAT or outside NAT is required for the Cisco CallManager IP address, the 
mapping must be static as Cisco IP SoftPhone requires the Cisco CallManager IP address to be 
specified explicitly in its Cisco TSP configuration on the PC.
When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP 
port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP 
SoftPhone registrations to succeed. The CTIQBE listening port (TCP 2748) is fixed and is not 
user-configurable on Cisco CallManager, Cisco IP SoftPhone, or Cisco TSP.
H.323 Inspection
This section describes the H.323 application inspection. This section includes the following topics:
H.323 Inspection Overview, page 12-3
How H.323 Works, page 12-3
H.239 Support in H.245 Messages, page 12-4
Limitations and Restrictions, page 12-4
Select H.323 Map, page 12-5
H.323 Class Map, page 12-5
Add/Edit H.323 Traffic Class Map, page 12-6
Add/Edit H.323 Match Criterion, page 12-6
H.323 Inspect Map, page 12-7
Phone Number Filtering, page 12-8
Add/Edit H.323 Policy Map (Security Level), page 12-8
Add/Edit H.323 Policy Map (Details), page 12-9
Add/Edit HSI Group, page 12-11
Add/Edit H.323 Map, page 12-11 
						

							 
12-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 12      Configuring Inspection for Voice and Video Protocols
  H.323 Inspection
H.323 Inspection Overview
H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and 
VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication 
Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including 
H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the ASA supports multiple calls on the same call signaling channel, a 
feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports 
on the ASA. 
The two major functions of H.323 inspection are as follows:
NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 
messages are encoded in PER encoding format, the ASA uses an ASN.1 decoder to decode the 
H.323 messages. 
Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
How H.323 Works
The H.323 collection of protocols collectively may use up to two TCP connection and four to eight UDP 
connections. FastConnect uses only one TCP connection, and RAS uses a single UDP connection for 
registration, admissions, and status.
An H.323 client can initially establish a TCP connection to an H.323 server using TCP port 1720 to 
request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to 
the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the 
initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 
terminals are not using FastConnect, the ASA dynamically allocates the H.245 connection based on the 
inspection of the H.225 messages.
NoteThe H.225 connection can also be dynamically allocated when using RAS. 
Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent 
UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically 
creates connections for the media exchange. RTP uses the negotiated port number, while RTCP uses the 
next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the 
following ports.
1718—Gate Keeper Discovery UDP port
1719—RAS UDP port 
1720—TCP Control Port 
You must permit traffic for the well-known H.323 port 1719 for RAS signaling. Additionally, you must 
permit traffic for the well-known H.323 port 1720 for the H.225 call signaling; however, the H.245 
signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper 
is used, the ASA opens an H.225 connection based on inspection of the ACF and RCF nmessages. 
						

							 
12-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 12      Configuring Inspection for Voice and Video Protocols
  H.323 Inspection
After inspecting the H.225 messages, the ASA opens the H.245 channel and then inspects traffic sent 
over the H.245 channel as well. All H.245 messages passing through the ASA undergo H.245 application 
inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 
messages.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the 
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not 
necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the ASA must 
remember the TPKT length to process and decode the messages properly. For each connection, the ASA 
keeps a record that contains the TPKT length for the next expected message.
If the ASA needs to perform NAT on IP addresses in messages, it changes the checksum, the UUIE 
length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT is sent in 
a separate TCP packet, the ASA proxy ACKs that TPKT and appends a new TPKT to the H.245 message 
with the new length.
NoteThe ASA does not support TCP options in the Proxy ACK for the TPKT.
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection 
and times out with the H.323 timeout as configured in the Configuration > Firewall > Advanced > Global 
Timeouts pane.
NoteYou can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA 
includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm 
(RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the 
calling endpoints IP address is unknown and the ASA opens a pinhole through source IP address/port 
0/0. By default, this option is disabled. 
H.239 Support in H.245 Messages
The ASA sits between two H.323 endpoints. When the two H.323 endpoints set up a telepresentation 
session so that the endpoints can send and receive a data presentation, such as spreadsheet data, the ASA 
ensure successful H.239 negotiation between the endpoints. 
H.239 is a standar that provides the ability for H.300 series endpoints to open an additional video channel 
in a single call. In a call, an endpoint (such as a video phone), sends a channel for video and a channel 
for data presentation. The H.239 negotiation occurs on the H.245 channel. 
The ASA opens pinholes for the additional media channel and the media control channel. The endpoints 
use open logical channel message (OLC) to signal a new channel creation.  The message extension is 
part of H.245 version 13.
The decoding and encoding of of the telepresentation session is enabled by default. H.239 encoding and 
decoding is preformed by ASN.1 coder. 
Limitations and Restrictions
The following are some of the known issues and limitations when using H.323 application inspection:
Only static NAT is fully supported. Static PAT may not properly translate IP addresses embedded in 
optional fields within H.323 messages. If you experience this kind of problem, do not use static PAT 
with H.323.