Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
12-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection Gateways and Call Agents Configuration > Global Objects > Inspect Maps > MGCP > Gateways and Call Agents The Gateways and Call Agents dialog box lets you configure groups of gateways and call agents for the map. Fields Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647Criterion—Shows the criterion of the inspection. Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727. Call Agents—Identifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427. Add—Displays the Add MGCP dialog box, which you can use to define a new application inspection map. Edit—Displays the Edit MGCP dialog box, which you can use to modify the application inspection map selected in the application inspection map table. Delete—Deletes the application inspection map selected in the application inspection map table. Add/Edit MGCP Policy Map Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > View The Add/Edit MGCP Policy Map pane lets you configure the command queue, gateway, and call agent settings for MGCP application inspection maps. Fields Name—When adding an MGCP map, enter the name of the MGCP map. When editing an MGCP map, the name of the previously configured MGCP map is shown. Description—Enter the description of the MGCP map, up to 200 characters in length. Command Queue—Tab that lets you specify the permitted queue size for MGCP commands. –Command Queue Size—Specifies the maximum number of commands to queue. The valid range is from 1 to 2147483647. Gateways and Call Agents—Tab that lets you configure groups of gateways and call agents for this map. –Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647Criterion—Shows the criterion of the inspection.
12-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection –Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727. –Call Agents—Identifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427. –Add—Displays the Add MGCP Group dialog box, which you can use to define a new MGCP group of gateways and call agents. –Edit—Displays the Edit MGCP dialog box, which you can use to modify the MGCP group selected in the Gateways and Call Agents table. –Delete—Deletes the MGCP group selected in the Gateways and Call Agents table. Add/Edit MGCP Group Configuration > Global Objects > Inspect Maps > MGCP > Add/Edit MGCP Group The Add/Edit MGCP Group dialog box lets you define the configuration of an MGCP group that will be used when MGCP application inspection is enabled. Fields Group ID—Specifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The valid range is from 0 to 2147483647. –Gateway to Be Added—Specifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727. –Add—Adds the specified IP address to the IP address table. –Delete—Deletes the selected IP address from the IP address table. –IP Address—Lists the IP addresses of the gateways in the call agent group. Call Agents –Call Agent to Be Added—Specifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427. –Add—Adds the specified IP address to the IP address table. –Delete—Deletes the selected IP address from the IP address table. –IP Address—Lists the IP addresses of the call agents in the call agent group. RTSP Inspection This section describes RTSP application inspection. This section includes the following topics: RTSP Inspection Overview, page 12-17
12-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Using RealPlayer, page 12-17 Restrictions and Limitations, page 12-18 Select RTSP Map, page 12-18 RTSP Inspect Map, page 12-18 Add/Edit RTSP Policy Map, page 12-19 RTSP Class Map, page 12-19 Add/Edit RTSP Traffic Class Map, page 12-20 RTSP Inspection Overview The RTSP inspection engine lets the ASA pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. NoteFor Cisco IP/TV, use RTSP TCP port 554 and TCP 8554. RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The ASA only supports TCP, in conformity with RFC 2326. This TCP control channel is used to negotiate the data channels that is used to transmit audio/video traffic, depending on the transport mode that is configured on the client. The supported RDT transports are: rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp. The ASA parses Setup response messages with a status code of 200. If the response message is travelling inbound, the server is outside relative to the ASA and dynamic channels need to be opened for connections coming inbound from the server. If the response message is outbound, then the ASA does not need to open dynamic channels. Because RFC 2326 does not require that the client and server ports must be in the SETUP response message, the ASA keeps state and remembers the client ports in the SETUP message. QuickTime places the client ports in the SETUP message and then the server responds with only the server ports. RTSP inspection does not support PAT or dual-NAT. Also, the ASA cannot recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages. Using RealPlayer When using RealPlayer, it is important to properly configure transport mode. For the ASA, add an access-list command from the server to the client or vice versa. For RealPlayer, change transport mode by clicking Options>Preferences>Transport>RTSP Settings. If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use TCP for all content check boxes. On the ASA, there is no need to configure the inspection engine. If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use UDP for static content check boxes, and for live content not available via Multicast. On the ASA, add an inspect rtsp port command.
12-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Restrictions and Limitations The following restrictions apply to the RSTP inspection. The ASA does not support multicast RTSP or RTSP messages over UDP. The ASA does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages. The ASA cannot perform NAT on RTSP messages because the embedded IP addresses are contained in the SDP files as part of HTTP or RTSP messages. Packets could be fragmented and ASA cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the ASA performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses). You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT if the Viewer and Content Manager are on the outside network and the server is on the inside network. Select RTSP Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select NetBIOS Map The Select RTSP Map dialog box lets you select or create a new RTSP map. An RTSP map lets you change the configuration values used for RTSP application inspection. The Select RTSP Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default RTSP inspection map—Specifies to use the default RTSP inspection map. Select a RTSP inspect map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. RTSP Inspect Map Configuration > Global Objects > Inspect Maps > RADIUS The RTSP pane lets you view previously configured RTSP application inspection maps. An RTSP map lets you change the default configuration values used for RTSP application inspection. You can use an RTSP map to protect RTSP traffic. Fields RTSP Inspect Maps—Table that lists the defined RTSP inspect maps. Add—Configures a new RTSP inspect map. Edit—Edits the selected RTSP entry in the RTSP Inspect Maps table. Delete—Deletes the inspect map selected in the RTSP Inspect Maps table.
12-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Add/Edit RTSP Policy Map Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > View The Add/Edit RTSP Policy Map pane lets you configure the parameters and inspections settings for RTSP application inspection maps. Fields Name—When adding an RTSP map, enter the name of the RTSP map. When editing an RTSP map, the name of the previously configured RTSP map is shown. Description—Enter the description of the RTSP map, up to 200 characters in length. Parameters—Tab that lets you restrict usage on reserved ports during media port negotiation, and lets you set the URL length limit. –Enforce Reserve Port Protection—Lets you restrict the use of reserved ports during media port negotiation. –Maximum URL Length—Specifies the maximum length of the URL allowed in the message. Maximum value is 6000. Inspections—Tab that shows you the RTSP inspection configuration and lets you add or edit. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the RTSP inspection. –Value—Shows the value to match in the RTSP inspection. –Action—Shows the action if the match condition is met. –Log—Shows the log state. –Add—Opens the Add RTSP Inspect dialog box to add a RTSP inspection. –Edit—Opens the Edit RTSP Inspect dialog box to edit a RTSP inspection. –Delete—Deletes a RTSP inspection. –Move Up—Moves an inspection up in the list. –Move Down—Moves an inspection down in the list. RTSP Class Map Configuration > Firewall > Objects > Class Maps > RTSP The RTSP Class Map pane lets you configure RTSP class maps for RTSP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, SIP, and RTSP. Fields Name—Shows the RTSP class map name. Match Conditions—Shows the type, match criterion, and value in the class map. –Match Type—Shows the match type, which can be a positive or negative match.
12-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection –Criterion—Shows the criterion of the RTSP class map. –Value—Shows the value to match in the RTSP class map. Description—Shows the description of the class map. Add—Adds a RTSP class map. Edit—Edits a RTSP class map. Delete—Deletes a RTSP class map. Add/Edit RTSP Traffic Class Map Configuration > Firewall > Objects > Class Maps > RTSP > Add/Edit RTSP Traffic Class Map The Add/Edit RTSP Traffic Class Map dialog box lets you define the match criterion, values, and actions for the RTSP traffic class map. Fields Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of RTSP traffic to match. –URL Filter—Match URL filtering. –Request Method—Match an RTSP request method. URL Filter Criterion Values—Specifies to match URL filtering. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. URL Filter Actions—Primary action and log settings. –Action—Drop connection or log. –Log—Enable or disable. Request Method Criterion Values—Specifies to match an RTSP request method. –Request Method—Specifies a request method: announce, describe, get_parameter, options, pause, play, record, redirect, setup, set_parameters, teardown. Request Method Actions—Primary action settings. –Action—Limit rate (pps). SIP Inspection This section describes SIP application inspection. This section includes the following topics:
12-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP Inspection Overview, page 12-21 SIP Instant Messaging, page 12-22 Select SIP Map, page 12-22 SIP Class Map, page 12-23 Add/Edit SIP Traffic Class Map, page 12-24 Add/Edit SIP Match Criterion, page 12-24 SIP Inspect Map, page 12-26 Add/Edit SIP Policy Map (Security Level), page 12-27 Add/Edit SIP Policy Map (Details), page 12-28 Add/Edit SIP Inspect, page 12-30 SIP Inspection Overview SIP, as defined by the IETF, enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the ASA can support any SIP VoIP gateways and VoIP proxy servers. SIP and SDP are defined in the following RFCs: SIP: Session Initiation Protocol, RFC 3261 SDP: Session Description Protocol, RFC 2327 To support SIP calls through the ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses. The following limitations and restrictions apply when using PAT with SIP: If a remote endpoint tries to register with a SIP proxy on a network protected by the ASA, the registration fails under very specific conditions, as follows: –PAT is configured for the remote endpoint. –The SIP registrar server is on the outside network. –The port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server. –Configuring static PAT is not supported with SIP inspection. If static PAT is configured for the Cisco Unified Communications Manager, SIP inspection cannot rewrite the SIP packet. Configure one-to-one static NAT for the Cisco Unified Communications Manager. If a SIP device transmits a packet in which the SDP portion has an IP address in the owner/creator field (o=) that is different than the IP address in the connection field (c=), the IP address in the o= field may not be properly translated. This is due to a limitation in the SIP protocol, which does not provide a port value in the o= field. When using PAT, any SIP header field which contains an internal IP address without a port might not be translated and hence the internal IP address will be leaked outside. If you want to avoid this leakage, configure NAT instead of PAT.
12-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP Instant Messaging Instant Messaging refers to the transfer of messages between users in near real-time. SIP supports the Chat feature on Windows XP using Windows Messenger RTC Client version 4.7.0105 only. The MESSAGE/INFO methods and 202 Accept response are used to support IM as defined in the following RFCs: Session Initiation Protocol (SIP)-Specific Event Notification, RFC 3265 Session Initiation Protocol (SIP) Extension for Instant Messaging, RFC 3428 MESSAGE/INFO requests can come in at any time after registration/subscription. For example, two users can be online at any time, but not chat for hours. Therefore, the SIP inspection engine opens pinholes that time out according to the configured SIP timeout value. This value must be configured at least five minutes longer than the subscription duration. The subscription duration is defined in the Contact Expires value and is typically 30 minutes. Because MESSAGE/INFO requests are typically sent using a dynamically allocated port other than port 5060, they are required to go through the SIP inspection engine. NoteOnly the Chat feature is currently supported. Whiteboard, File Transfer, and Application Sharing are not supported. RTC Client 5.0 is not supported. SIP inspection translates the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen. SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload. These indices identify the call, the source, and the destination. This database contains the media addresses and media ports found in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. The ASA opens RTP/RTCP connections between the two endpoints using these media addresses/ports. The well-known port 5060 must be used on the initial call setup (INVITE) message; however, subsequent messages may not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be translated. As a call is set up, the SIP session is in the “transient” state until the media address and media port is received from the called endpoint in a Response message indicating the RTP port the called endpoint listens on. If there is a failure to receive the response messages within one minute, the signaling connection is torn down. Once the final handshake is made, the call state is moved to active and the signaling connection remains until a BYE message is received. If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface does not traverse the ASA, unless the ASA configuration specifically allows it. Select SIP Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SIP Map
12-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection The Select SIP Map dialog box lets you select or create a new SIP map. A SIP map lets you change the configuration values used for SIP application inspection. The Select SIP Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default SIP inspection map—Specifies to use the default SIP map. Select a SIP map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. Enable encrypted traffic inspection check box—Select to enable the radio buttons to select a proxy type. Proxy Type –TLS Proxy radio button—Use TLS Proxy to enable inspection of encrypted traffic. –Phone Proxy radio button—Specifies to associate the Phone Proxy with the TLS Proxy that you select from the TLS Proxy Name field. Configure button—Opens the Configure the Phone Proxy dialog box so that you can specify or edit Phone Proxy configuration settings. –UC-IME Proxy ratio button—Specifies to associate the UC-IME Proxy (Cisco Intercompany Media Engine proxy) with the TLS Proxy that you select from the TLS Proxy Name field. Configure button—Opens the Configure the UC-IME Proxy dialog box so that you can specify or edit UC-IME Proxy configuration settings. TLS Proxy Name:—Name of existing TLS Proxy. Manage—Opens the Add TLS Proxy dialog box to add a TLS Proxy. Only one TLS proxy can be assigned to the Phone Proxy or UC-IME Proxy at a time. If you configure more than one service policy rule for Phone Proxy or UC-IME Proxy inspection and attempt to assign a different TLS proxy to them, ASDM displays a warning that all other service policy rules with Phone Proxy or UC-IME inspection will be changed to use the latest selected TLS proxy. The UC-IME Proxy configuration requires two TLS proxies – one for outbound traffic and one for inbound. Rather than associating the TLS proxies directly with the UC-IME Proxy, as is the case with phone proxy, the TLS proxies are associated with it indirectly via SIP inspection rules. You associate a TLS proxy with the Phone Proxy while defining a SIP inspection action . ASDM will convert the association to the existing phone proxy. SIP Class Map Configuration > Global Objects > Class Maps > SIP The SIP Class Map pane lets you configure SIP class maps for SIP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
12-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection Fields Name—Shows the SIP class map name. Match Conditions—Shows the type, match criterion, and value in the class map. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the SIP class map. –Value—Shows the value to match in the SIP class map. Description—Shows the description of the class map. Add—Adds a SIP class map. Edit—Edits a SIP class map. Delete—Deletes a SIP class map. Add/Edit SIP Traffic Class Map Configuration > Global Objects > Class Maps > SIP > Add/Edit SIP Traffic Class Map The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map. Fields Name—Enter the name of the SIP class map, up to 40 characters in length. Description—Enter the description of the SIP class map. Add—Adds a SIP class map. Edit—Edits a SIP class map. Delete—Deletes a SIP class map. Add/Edit SIP Match Criterion Configuration > Global Objects > Class Maps > SIP > Add/Edit SIP Traffic Class Map > Add/Edit SIP Match Criterion The Add/Edit SIP Match Criterion dialog box lets you define the match criterion and value for the SIP class map. Fields Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of SIP traffic to match. –Called Party—Match the called party as specified in the To header. –Calling Party—Match the calling party as specified in the From header. –Content Length—Match the Content Length header, between 0 and 65536. –Content Type—Match the Content Type header. –IM Subscriber—Match the SIP IM subscriber.