Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
12-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Not supported with dynamic NAT or PAT. Not supported with extended PAT. Not supported with NAT between same-security-level interfaces. Not supported with outside NAT. Not supported with NAT64. When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in either direction. This problem is unrelated to the ASA. If you configure a network static address where the network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails. Select H.323 Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select H.323 Map The Select H.323 Map dialog box lets you select or create a new H.323 map. An H.323 map lets you change the configuration values used for H.323 application inspection. The Select H.323 Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default H.323 inspection map—Specifies to use the default H.323 map. Select an H.323 map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. H.323 Class Map Configuration > Global Objects > Class Maps > H.323 The H.323 Class Map pane lets you configure H.323 class maps for H.323 inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP. Fields Name—Shows the H.323 class map name. Match Conditions—Shows the type, match criterion, and value in the class map. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the H.323 class map. –Value—Shows the value to match in the H.323 class map. Description—Shows the description of the class map. Add—Adds an H.323 class map.
12-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Edit—Edits an H.323 class map. Delete—Deletes an H.323 class map. Add/Edit H.323 Traffic Class Map Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map. Fields Name—Enter the name of the H.323 class map, up to 40 characters in length. Description—Enter the description of the H.323 class map. Add—Adds an H.323 class map. Edit—Edits an H.323 class map. Delete—Deletes an H.323 class map. Add/Edit H.323 Match Criterion Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map > Add/Edit H.323 Match Criterion The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map. Fields Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of H.323 traffic to match. –Called Party—Match the called party. –Calling Party—Match the calling party. –Media Type—Match the media type. Called Party Criterion Values—Specifies to match on the H.323 called party. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Calling Party Criterion Values—Specifies to match on the H.323 calling party. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
12-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Media Type Criterion Values—Specifies which media type to match. –Audio—Match audio type. –Video—Match video type. –Data—Match data type. H.323 Inspect Map Configuration > Global Objects > Inspect Maps > H.323 The H.323 pane lets you view previously configured H.323 application inspection maps. An H.323 map lets you change the default configuration values used for H.323 application inspection. H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, HSI groups, protocol state tracking, H.323 call duration enforcement, and audio/video control. Fields H.323 Inspect Maps—Table that lists the defined H.323 inspect maps. Add—Configures a new H.323 inspect map. To edit an H.323 inspect map, choose the H.323 entry in the H.323 Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the H.323 Inspect Maps table. Security Level—Select the security level (low, medium, or high). –Low—Default. State Checking h225 Disabled State Checking ras Disabled Call Party Number Disabled Call duration Limit Disabled RTP conformance not enforced –Medium State Checking h225 Enabled State Checking ras Enabled Call Party Number Disabled Call duration Limit Disabled RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: no –High State Checking h225 Enabled State Checking ras Enabled
12-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Call Party Number Enabled Call duration Limit 1:00:00 RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: yes –Phone Number Filtering—Opens the Phone Number Filtering dialog box to configure phone number filters. –Customize—Opens the Add/Edit H.323 Policy Map dialog box for additional settings. –Default Level—Sets the security level back to the default level of Medium. Phone Number Filtering Configuration > Global Objects > Inspect Maps > H323 > Phone Number Filtering The Phone Number Filtering dialog box lets you configure the settings for a phone number filter. Fields Match Type—Shows the match type, which can be a positive or negative match. Criterion—Shows the criterion of the inspection. Value—Shows the value to match in the inspection. Action—Shows the action if the match condition is met. Log—Shows the log state. Add—Opens the Add Phone Number Filter dialog box to add a phone number filter. Edit—Opens the Edit Phone Number Filter dialog box to edit a phone number filter. Delete—Deletes a phone number filter. Move Up—Moves an entry up in the list. Move Down—Moves an entry down in the list. Add/Edit H.323 Policy Map (Security Level) Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Basic View The Add/Edit H.323 Policy Map pane lets you configure the security level and additional settings for H.323 application inspection maps. Fields Name—When adding an H.323 map, enter the name of the H.323 map. When editing an H.323 map, the name of the previously configured H.323 map is shown. Description—Enter the description of the H323 map, up to 200 characters in length. Security Level—Select the security level (low, medium, or high). –Low—Default. State Checking h225 Disabled State Checking ras Disabled
12-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Call Party Number Disabled Call duration Limit Disabled RTP conformance not enforced –Medium State Checking h225 Enabled State Checking ras Enabled Call Party Number Disabled Call duration Limit Disabled RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: no –High State Checking h225 Enabled State Checking ras Enabled Call Party Number Enabled Call duration Limit 1:00:00 RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: yes –Phone Number Filtering—Opens the Phone Number Filtering dialog box which lets you configure the settings for a phone number filter. –Default Level—Sets the security level back to the default. Details—Shows the State Checking, Call Attributes, Tunneling and Protocol Conformance, HSI Group Parameters, and Inspections tabs to configure additional settings. Add/Edit H.323 Policy Map (Details) Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View The Add/Edit H.323 Policy Map pane lets you configure the security level and additional settings for H.323 application inspection maps. Fields Name—When adding an H.323 map, enter the name of the H.323 map. When editing an H.323 map, the name of the previously configured H.323 map is shown. Description—Enter the description of the H.323 map, up to 200 characters in length. Security Level—Shows the security level and phone number filtering settings to configure. State Checking—Tab that lets you configure state checking parameters for the H.323 inspect map. –Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages. –Check state transition of RAS messages—Enforces H.323 state checking on RAS messages. –Check RFC messages and open pinholes for call signal addresses in RFQ messages
12-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection NoteYou can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoints IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0. By default, this option is disabled. You can enable this option by setting the option in the H.323 Inspect Map. Call Attributes—Tab that lets you configure call attributes parameters for the H.323 inspect map. –Enforce call duration limit—Enforces the absolute limit on a call. Call Duration Limit—Time limit for the call (hh:mm:ss). –Enforce presence of calling and called party numbers—Enforces sending call party numbers during call setup. Tunneling and Protocol Conformance—Tab that lets you configure tunneling and protocol conformance parameters for the H.323 inspect map. –Check for H.245 tunneling—Allows H.245 tunneling. Action—Drop connection or log. –Check RTP packets for protocol conformance—Checks RTP/RTCP packets on the pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio or video based on the signaling exchange. HSI Group Parameters—Tab that lets you configure an HSI group. –HSI Group ID—Shows the HSI Group ID. –IP Address—Shows the HSI Group IP address. –Endpoints—Shows the HSI Group endpoints. –Add—Opens the Add HSI Group dialog box to add an HSI group. –Edit—Opens the Edit HSI Group dialog box to edit an HSI group. –Delete—Deletes an HSI group. Inspections—Tab that shows you the H.323 inspection configuration and lets you add or edit. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the H.323 inspection. –Value—Shows the value to match in the H.323 inspection. –Action—Shows the action if the match condition is met. –Log—Shows the log state. –Add—Opens the Add H.323 Inspect dialog box to add an H.323 inspection. –Edit—Opens the Edit H.323 Inspect dialog box to edit an H.323 inspection. –Delete—Deletes an H.323 inspection. –Move Up—Moves an inspection up in the list. –Move Down—Moves an inspection down in the list.
12-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Add/Edit HSI Group Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View > Add/Edit HSI Group The Add/Edit HSI Group dialog box lets you configure HSI Groups. Fields Group ID—Enter the HSI group ID. IP Address—Enter the HSI IP address. Endpoints—Lets you configure the IP address and interface of the endpoints. –IP Address—Enter an endpoint IP address. –Interface—Specifies an endpoint interface. Add—Adds the HSI group defined. Delete—Deletes the selected HSI group. Add/Edit H.323 Map Configuration > Global Objects > Inspect Maps > H232 > H323 Inspect Map > Advanced View > Add/Edit H323 Inspect The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map. Fields Single Match—Specifies that the H.323 inspect has only one match statement. Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of H.323 traffic to match. –Called Party—Match the called party. –Calling Party—Match the calling party. –Media Type—Match the media type. Called Party Criterion Values—Specifies to match on the H.323 called party. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Calling Party Criterion Values—Specifies to match on the H.323 calling party. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
12-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Media Type Criterion Values—Specifies which media type to match. –Audio—Match audio type. –Video—Match video type. –Data—Match data type. Multiple Matches—Specifies multiple matches for the H.323 inspection. –H323 Traffic Class—Specifies the H.323 traffic class match. –Manage—Opens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class Maps. Action—Drop packet, drop connection, or reset. MGCP Inspection This section describes MGCP application inspection. This section includes the following topics: MGCP Inspection Overview, page 12-12 Select MGCP Map, page 12-14 MGCP Inspect Map, page 12-14 Gateways and Call Agents, page 12-15 Add/Edit MGCP Policy Map, page 12-15 Add/Edit MGCP Group, page 12-16 MGCP Inspection Overview MGCP is a master/slave protocol used to control media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external (global) addresses. Examples of media gateways are: Trunking gateways, that interface between the telephone network and a Voice over IP network. Such gateways typically manage a large number of digital circuits. Residential gateways, that provide a traditional analog (RJ11) interface to a Voice over IP network. Examples of residential gateways include cable modem/cable set-top boxes, xDSL devices, broad-band wireless devices. Business gateways, that provide a traditional digital PBX interface or an integrated soft PBX interface to a Voice over IP network.
12-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection NoteTo avoid policy failure when upgrading from ASA version 7.1, all layer 7 and layer 3 policies must have distinct names. For instance, a previously configured policy map with the same name as a previously configured MGCP map must be changed before the upgrade. MGCP messages are transmitted over UDP. A response is sent back to the source address (IP address and UDP port number) of the command, but the response may not arrive from the same address as the command was sent to. This can happen when multiple call agents are being used in a failover configuration and the call agent that received the command has passed control to a backup call agent, which then sends the response. Figure 12-1 illustrates how NAT can be used with MGCP. Figure 12-1 Using NAT with MGCP MGCP endpoints are physical or virtual sources and destinations for data. Media gateways contain endpoints on which the call agent can create, modify and delete connections to establish and control media sessions with other multimedia endpoints. Also, the call agent can instruct the endpoints to detect certain events and generate signals. The endpoints automatically communicate changes in service state to the call agent. MGCP transactions are composed of a command and a mandatory response. There are eight types of commands: CreateConnection ModifyConnection DeleteConnection NotificationRequest Notify AuditEndpoint AuditConnection 119936 Cisco CallManager Gateway is told to send its media to 209.165.200.231 (public address of the IP Phone) M IP MM Cisco PGW 2200H.323 To PSTN 209.165.201.10 209.165.201.11 209.165.201.1 IPIP Branch offices RTP to 209.165.201.1 from 209.165.200.231RTP to 10.0.0.76 from 209.165.200.231 10.0.0.76 209.165.200.231MGCP SCCP GWGW209.165.200.231
12-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection RestartInProgress The first four commands are sent by the call agent to the gateway. The Notify command is sent by the gateway to the call agent. The gateway may also send a DeleteConnection. The registration of the MGCP gateway with the call agent is achieved by the RestartInProgress command. The AuditEndpoint and the AuditConnection commands are sent by the call agent to the gateway. All commands are composed of a Command header, optionally followed by a session description. All responses are composed of a Response header, optionally followed by a session description. The port on which the gateway receives commands from the call agent. Gateways usually listen to UDP port 2427. The port on which the call agent receives commands from the gateway. Call agents usually listen to UDP port 2727. NoteMGCP inspection does not support the use of different IP addresses for MGCP signaling and RTP data. A common and recommended practice is to send RTP data from a resilient IP address, such as a loopback or virtual IP address; however, the ASA requires the RTP data to come from the same address as MGCP signalling. Select MGCP Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select MGCP Map The Select MGCP Map dialog box lets you select or create a new MGCP map. An MGCP map lets you change the configuration values used for MGCP application inspection. The Select MGCP Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default MGCP inspection map—Specifies to use the default MGCP map. Select an MGCP map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. MGCP Inspect Map Configuration > Global Objects > Inspect Maps > MGCP The MGCP pane lets you view previously configured MGCP application inspection maps. An MGCP map lets you change the default configuration values used for MGCP application inspection. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents. Fields MGCP Inspect Maps—Table that lists the defined MGCP inspect maps. Add—Configures a new MGCP inspect map. Edit—Edits the selected MGCP entry in the MGCP Inspect Maps table. Delete—Deletes the inspect map selected in the MGCP Inspect Maps table.