Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
21-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy On successful verification, the terminating side creates a ticket that grants permission to the call originator to make a Cisco IME call to a specific number. See Tickets and Passwords, page 21-3 for information. Figure 21-1 Interaction of the UC-IME Proxy with the PSTN Tickets and Passwords Cisco Intercompany Media Engine utilizes tickets and passwords to provide enterprise verification. Verification through the creation of tickets ensures an enterprise is not subject to denial-of-service (DOS) attacks from the Internet or endless VoIP spam calls. Ticket verification prevents spam and DOS attacks because it introduces a cost to the VoIP caller; namely, the cost of a PSTN call. A malicious user cannot set up just an open source asterisk PBX on the Internet and begin launching SIP calls into an enterprise running Cisco Intercompany Media Engine. Having the Cisco Intercompany Media Engine Proxy verify tickets allows incoming calls from a particular enterprise to a particular number only when that particular enterprise has previously called that phone number on the PSTN. To send a spam VoIP call to every phone within an enterprise, an organization would have to purchase the Cisco Intercompany Media Engine and Cisco Unified Communications Manager and have called each phone number within the enterprise over the PSTN and completed each call successfully. Only then can it launch a VoIP call to each number. The Cisco Intercompany Media Engine server creates tickets and the ASA validates them. The ASA and Cisco Intercompany Media Engine server share a password that is configured so that the ASA detects the ticket was created by a trusted Cisco Intercompany Media Engine server. The ticket contains information that indicates that the enterprise is authorized to call specific phone numbers at the target enterprise. See Figure 21-2 for the ticket verification process and how it operates between the originating and terminating-call enterprises. NoteBecause the initial calls are over the PSTN, they are subject to any national regulations regarding telemarketing calling. For example, within the United States, they would be subject to the national do-not-call registry. Public InternetEnterprise B Enterprise A 248906 IP IP IP IP MM ASAASA UC-IME ServerUC-IME Server Cisco UCMCisco UCM PSTN
21-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Figure 21-2 Ticket Verification Process with Cisco Intercompany Media Engine As illustrated in Figure 21-2. Enterprise B makes a PSTN call to enterprise A. That call completes successfully. Later, Enterprise B Cisco Intercompany Media Engine server initiates validation procedures with Enterprise A. These validation procedures succeed. During the validation handshake, Enterprise B sends Enterprise A its domain name. Enterprise A verifies that this domain name is not on the blacklisted set of domains. Assuming it is not, Enterprise A creates a ticket. Subsequently, someone in Enterprise B calls that number again. That call setup message from Enterprise B to Enterprise A includes the ticket in the X-Cisco-UC-IME-Ticket header field in the SIP INVITE message. This message arrives at the Enterprise A ASA. The ASA verifies the signature and computes several checks on the ticket to make sure it is valid. If the ticket is valid, the ASA forwards the request to Cisco UCM (including the ticket). Because the ASA drops requests that lack a valid ticket, unauthorized calls are never received by Cisco UCM. The ticket password is a 128 bit random key, which can be thought of as a shared password between the adaptive security appliance and the Cisco Intercompany Media Engine server. This password is generated by the Cisco Intercompany Media Engine server and is used by a Cisco Intercompany Media Engine SIP trunk to generate a ticket to allow a call to be made between Cisco Intercompany Media Engine SIP trunks. A ticket is a signed object that contains a number of fields that grant permission to the calling domain to make a Cisco Intercompany Media Engine call to a specific number. The ticket is signed by the ticket password. The Cisco Intercompany Media Engine also required that you configure an epoch for the password. The epoch contains an integer that updates each time that the password is changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password. Typically, you increment the epoch sequentially; however, the ASA allows you to choose any value when you update the epoch. If you change the epoch value, the tickets in use at remote enterprises become invalid. The incoming calls from the remote enterprises fallback to the PSTN until the terminating enterprise reissues tickets with the new epoch value and password. The epoch and password that you configure on the ASA must match the epoch and password configured on the Cisco Intercompany Media Engine server. If you change the password or epoch on the ASA, you must update them on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information. Enterprise A Cisco UCM M Enterprise B IPIPIPIP Internet Cisco UCM M ASA ASA Enterprise B gets authorization ticket from A at end of validation protocol UC-IME server passes ticket to UCM and it’s stored as part of VoIP route 248761 1 2 Enterprise B calls A and includes ticket 3 ASA validates ticket4 UC-IME ServerUC-IME Server
21-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Call Fallback to the PSTN Cisco Intercompany Media Engine provides features that manage the QoS on the Internet, such as the ability to monitor QoS of the RTP traffic in real-time and fallback to PSTN automatically if problems arise. Call fallback from Internet VoIP calls to the public switched telephone network (PSTN) can occur for two reasons changes in connection quality and signal failure for the Cisco Intercompany Media Engine. Internet connections can vary wildly in their quality and vary over time. Therefore, even if a call is sent over VoIP because the quality of the connection was good, the connection quality might worsen mid-call. To ensure an overall good experience for the end user, Cisco Intercompany Media Engine attempts to perform a mid-call fallback. Performing a mid-call fallback requires the adaptive security appliance to monitor the RTP packets coming from the Internet and send information into an RTP Monitoring Algorithm (RMA) API, which will indicates to the adaptive security appliance whether fallback is required. If fallback is required, the adaptive security appliance sends a REFER message to Cisco UCM to tell it that it needs to fallback the call to PSTN. The TLS signaling connections from the Cisco UCM are terminated on the adaptive security appliance and a TCP or TLS connection is initiated to the Cisco UCM. SRTP (media) sent from external IP phones to the internal network IP phone via the adaptive security appliance is converted to RTP. The adaptive security appliance inserts itself into the media path by modifying the SIP signaling messages that are sent over the SIP trunk between Cisco UCMs. TLS (signaling) and SRTP are always terminated on the adaptive security appliance. If signaling problems occur, the call falls back to the PSTN; however, the Cisco UCM initiates the PSTN fall back and the adaptive security appliance does not send REFER message. Architecture and Deployment Scenarios for Cisco Intercompany Media Engine This section includes the following topics: Architecture, page 21-5 Basic Deployment, page 21-6 Off Path Deployment, page 21-7 Architecture Within the enterprise, Cisco Intercompany Media Engine is deployed with the following components for the following purposes: The adaptive security appliance—Enabled with the Cisco Intercompany Media Engine Proxy, provides perimeter security functions and inspects SIP signaling between SIP trunks. Cisco Intercompany Media Engine (UC-IME) server— Located in the DMZ, provides an automated provisioning service by learning new VoIP routes to particular phone numbers, and recording those routes in Cisco UCM. The Cisco Intercompany Media Engine server does not perform call control. Cisco Unified Communications Manager (Cisco UCM)—Responsible for call control and processing. Cisco UCM connects to the Cisco Intercompany Media Engine server by using the Access Protocol to publish and exchange updates. The architecture can consist of a single Cisco UCM or a Cisco UCM cluster within the enterprise.
21-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Cisco Intercompany Media Engine (UC-IME) Bootstrap server—Provides a certificate required admission onto the public peer-to-peer network for Cisco Intercompany Media Engine. Figure 21-3 illustrates the components of the Cisco Intercompany Media Engine in a basic deployment. Figure 21-3 Cisco Intercompany Media Engine Architecture in a Basic Deployment Basic Deployment In a basic deployment, the Cisco Intercompany Media Engine Proxy sits in-line with the Internet firewall such that all Internet traffic traverses the adaptive security appliance. In this deployment, a single Cisco UCM or a Cisco UCM cluster is centrally deployed within the enterprise, along with a Cisco Intercompany Media Engine server (and perhaps a backup). As shown in Figure 21-4, the adaptive security appliance sits on the edge of the enterprise and inspects SIP signaling by creating dynamic SIP trunks between enterprises. SRTP Peer-to-peer Validation Outside Enterprise Inside Enterprise UC-IME Bootstrap Server RTP/SRTPUC-IME Server Permiter Security SIP/SCCP ASA Enabled with UC-IME Proxy DMZ 248760 Cisco UCM Cluster M M MM M UC-IME Access Protocol SIP/TLS TCP/TLS IP IPIP
21-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Figure 21-4 Basic Deployment Scenario Off Path Deployment In an off path deployment, inbound and outbound Cisco Intercompany Media Engine calls pass through an adaptive security appliance enabled with the Cisco Intercompany Media Engine Proxy. The adaptive security appliance is located in the DMZ and is configured to support only the Cisco Intercompany Media Engine traffic (SIP signaling and RTP traffic). Normal Internet facing traffic does not flow through this adaptive security appliance. For all inbound calls, the signaling is directed to the adaptive security appliance because destined Cisco UCMs are configured with the global IP address on the adaptive security appliance. For outbound calls, the called party could be any IP address on the Internet; therefore, the adaptive security appliance is configured with a mapping service that dynamically provides an internal IP address on the adaptive security appliance for each global IP address of the called party on the Internet. Cisco UCM sends all outbound calls directly to the mapped internal IP address on the adaptive security appliance instead of the global IP address of the called party on the Internet. The adaptive security appliance then forwards the calls to the global IP address of the called party. Figure 21-5 illustrates the architecture of the Cisco Intercompany Media Engine in an off path deployment. Enterprise A Cisco UCM M ASA Enabled with UC-IME Proxy Internet SIP Trunk Enterprise B IPIP Cisco UCM M ASA Enabled with UC-IME Proxy 248762 UC-IME Bootstrap Server UC-IME Server PSTN GatewayPSTN Gateway PSTNIPIP UC-IME Server VV
21-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Licensing for Cisco Intercompany Media Engine Figure 21-5 Off Path Deployment of the Adaptive Security Appliance Licensing for Cisco Intercompany Media Engine The Cisco Intercompany Media Engine feature supported by the ASA require a Unified Communications Proxy license. The following table shows the details of the Unified Communications Proxy license: NoteThis feature is not available on No Payload Encryption models. PSTN Inside Enterprise DMZ 248763 Internet Firewall PSTN Gateway UC-IME Server Intranet Firewall ASA enabled with UC-IME proxyOutside Enterprise V Permiter Security Only UC-IME calls pass through the ASA enabled with the UC-IME proxy. Cisco UCM Cluster M M MM MInternet UC-IME Bootstrap Server IPIPIP
21-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations For more information about licensing, see Chapter 5, “Managing Feature Licenses for Cisco ASA Version 7.1,” in the general operations configuration guide. Guidelines and Limitations Context Mode Guidelines Supported in single context mode only. Firewall Mode Guidelines Supported in routed firewall mode only. IPv6 Guidelines Does not support IPv6 addresses. Additional Guidelines and Limitations Cisco Intercompany Media Engine has the following limitations: Fax is not supported. Fax capability needs to be disabled on the SIP trunk. Stateful failover of Cisco Unified Intercompany Media Engine is not supported. During failover, existing calls traversing the Cisco Intercompany Media Engine Proxy disconnect; however, new calls successfully traverse the proxy after the failover completes. Model License Requirement All models Intercompany Media Engine license. When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions up to the configured TLS proxy limit. If you also have a Unified Communications (UC) license installed that is higher than the default TLS proxy limit, then the ASA sets the limit to be the UC license limit plus an additional number of sessions depending on your model. You can manually configure the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. If you also install the UC license, then the TLS proxy sessions available for UC are also available for IME sessions. For example, if the configured limit is 1000 TLS proxy sessions, and you purchase a 750-session UC license, then the first 250 IME sessions do not affect the sessions available for UC. If you need more than 250 sessions for IME, then the remaining 750 sessions of the platform limit are used on a first-come, first-served basis by UC and IME. For a license part number ending in “K8”, TLS proxy sessions are limited to 1000. For a license part number ending in “K9”, the TLS proxy limit depends on your configuration and the platform model. NoteK8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. You might also use SRTP encryption sessions for your connections: For a K8 license, SRTP sessions are limited to 250. For a K9 license, there is no limit. NoteOnly calls that require encryption/decryption for media are counted toward the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count toward the limit.
21-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations Having Cisco UCMs on more than one of the ASA interfaces is not supported with the Cisco Intercompany Media Engine Proxy. Having the Cisco UCMs on one trusted interface is especially necessary in an off path deployment because the ASA requires that you specify the listening interface for the mapping service and the Cisco UCMs must be connected on one trusted interface. Multipart MIME is not supported. Only existing SIP features and messages are supported. H.264 is not supported. RTCP is not supported. The ASA drops any RTCP traffic sent from the inside interface to the outside interface. The ASA does not convert RTCP traffic from the inside interface into SRTP traffic. The Cisco Intercompany Media Engine Proxy configured on the ASA creates a dynamic SIP trunk for each connection to a remote enterprise. However, you cannot configure a unique subject name for each SIP trunk. The Cisco Intercompany Media Engine Proxy can have only one subject name configured for the proxy. Additionally, the subject DN you configure for the Cisco Intercompany Media Engine Proxy match the domain name that has been set for the local Cisco UCM. If a service policy rule for the Cisco Intercompany Media Engine Proxy is removed (by using the no service policy command) and reconfigured, the first call traversing the ASA will fail. The call fails over to the PSTN because the Cisco UCM does not know the connections are cleared and tries to use the recently cleared IME SIP trunk for the signaling. To resolve this issue, you must additionally enter the clear connection all command and restart the ASA. If the failure is due to failover, the connections from the primary ASA are not synchronized to the standby ASA. After the clear connection all command is issued on an ASA enabled with a UC-IME Proxy and the IME call fails over to the PSTN, the next IME call between an originating and terminating SCCP IP phone completes but does not have audio and is dropped after the signaling session is established. An IME call between SCCP IP phones use the IME SIP trunk in both directions. Namely, the signaling from the calling to called party uses the IME SIP trunk. Then, the called party uses the reverse IME SIP trunk for the return signaling and media exchange. However, this connection is already cleared on the ASA, which causes the IME call to fail. The next IME call (the third call after the clear connection all command is issued), will be completely successful. NoteThis limitation does not apply when the originating and terminating IP phones are configured with SIP. The ASA must be licensed and configured with enough TLS proxy sessions to handle the IME call volume. See “Licensing for Cisco Intercompany Media Engine” section on page 21-8 for information about the licensing requirements for TLS proxy sessions. This limitation occurs because an IME call cannot fall back to the PSTN when there are not enough TLS proxy sessions left to complete the IME call. An IME call between two SCCP IP phones requires the ASA to use two TLS proxy sessions to successfully complete the TLS handshake. Assume for example, the ASA is configured to have a maximum of 100 TLS proxy sessions and IME calls between SCCP IP phones establish 101 TLS proxy sessions. In this example, the next IME call is initiated successfully by the originating SCCP IP phone but fails after the call is accepted by the terminating SCCP IP phone. The terminating IP phone rings and on answering the call, the call hangs due to an incomplete TLS handshake. The call does not fall back to the PSTN.
21-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy This section contains the following topics: Task Flow for Configuring Cisco Intercompany Media Engine, page 21-11 Configuring NAT for Cisco Intercompany Media Engine Proxy, page 21-12 Configuring PAT for the Cisco UCM Server, page 21-14 Creating ACLs for Cisco Intercompany Media Engine Proxy, page 21-16 Creating the Media Termination Instance, page 21-17 Creating the Cisco Intercompany Media Engine Proxy, page 21-18 Creating Trustpoints and Generating Certificates, page 21-21 Creating the TLS Proxy, page 21-24 Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy, page 21-25 (Optional) Configuring TLS within the Local Enterprise, page 21-27 (Optional) Configuring Off Path Signaling, page 21-30 Task Flow for Configuring Cisco Intercompany Media Engine Figure 21-6 provides an example for a basic deployment of the Cisco Intercompany Media Engine. The following tasks include command line examples based on Figure 21-6. Figure 21-6 Example for Basic (in-line) Deployment Tasks NoteStep 1 through Step 8 apply to both basic (in-line) and off path deployments and Step 9 applies only to off path deployment. To configure a Cisco Intercompany Media Engine for a basic deployment, perform the following tasks. Step 1Configure static NAT for Cisco UCM. See Configuring NAT for Cisco Intercompany Media Engine Proxy, page 21-12. Internet Remote Enterprise Local Cisco UCMs Local ASA Corporate Network Remote Cisco UCMRemote ASA Local Enterprise IPIPIP 192.168.10.30 192.168.10.31192.168.10.12 ASA inside interface 192.168.10.1 Inside media termination 192.168.10.3 Outside media termination 209.165.200.226 Outside Cisco UMC 209.165.200.228 TLS TCP 248764 Local UC-IME Server Remote UC-IME Server M M UC-IME Bootstrap Server ASA outside interface 209.165.200.225 M
21-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Or Configure PAT for the UCM server. See Configuring PAT for the Cisco UCM Server, page 21-14. Step 2Create ACLs for Cisco Intercompany Media Engine Proxy. See Creating ACLs for Cisco Intercompany Media Engine Proxy, page 21-16. Step 3Create the media termination address instance for Cisco Intercompany Media Engine Proxy. See Creating the Media Termination Instance, page 21-17. Step 4Create the Cisco Intercompany Media Engine Proxy. See Creating the Cisco Intercompany Media Engine Proxy, page 21-18. Step 5Create trustpoints and generate certificates for the Cisco Intercompany Media Engine Proxy. See Creating Trustpoints and Generating Certificates, page 21-21. Step 6Create the TLS proxy. See Creating the TLS Proxy, page 21-24. Step 7Configure SIP inspection for the Cisco Intercompany Media Engine Proxy. See Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy, page 21-25. Step 8(Optional) Configure TLS within the enterprise. See (Optional) Configuring TLS within the Local Enterprise, page 21-27. Step 9(Optional) Configure off path signaling. See (Optional) Configuring Off Path Signaling, page 21-30. NoteYou only perform Step 9 when you are configuring the Cisco Intercompany Media Engine Proxy in an off path deployment. Configuring NAT for Cisco Intercompany Media Engine Proxy To configure auto NAT, you first configure an object; then use the nat command in the object configuration mode. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. Alternatively, you can configure PAT for the Cisco Intercompany Media Engine Proxy. See Configuring PAT for the Cisco UCM Server, page 21-14.