Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
12-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection –Message Path—Match the SIP Via header. –Request Method—Match the SIP request method. –Third-Party Registration—Match the requester of a third-party registration. –URI Length—Match a URI in the SIP headers, between 0 and 65536. Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified. –Greater Than Length—Enter a header length value in bytes. Content Type Criterion Values—Specifies to match a SIP content header type. –SDP—Match an SDP SIP content header type. –Regular Expression—Match a regular expression. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
12-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Request Method Criterion Values—Specifies to match a SIP request method. –Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update. Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. URI Length Criterion Values—Specifies to match a URI of a selected type and greater than the specified length in the SIP headers. –URI type—Specifies to match either SIP URI or TEL URI. –Greater Than Length—Length in bytes. SIP Inspect Map Configuration > Global Objects > Inspect Maps > SIP The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection. SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats. SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks. Fields SIP Inspect Maps—Table that lists the defined SIP inspect maps. Add—Configures a new SIP inspect map. To edit a SIP inspect map, choose the SIP entry in the SIP Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the SIP Inspect Maps table. Security Level—Select the security level (high or low). –Low—Default.
12-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Not enforced. SIP conformance: Do not perform state checking and header validation. –Medium SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No SIP conformance: Drop packets that fail state checking. –High SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Denied. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Enabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes SIP conformance: Drop packets that fail state checking and packets that fail header validation. –Customize—Opens the Add/Edit SIP Policy Map dialog box for additional settings. –Default Level—Sets the security level back to the default level of Low. Add/Edit SIP Policy Map (Security Level) Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Basic View The Add/Edit SIP Policy Map pane lets you configure the security level and additional settings for SIP application inspection maps. Fields Name—When adding a SIP, enter the name of the SIP map. When editing a SIP map, the name of the previously configured SIP map is shown. Description—Enter the description of the SIP map, up to 200 characters in length. Security Level—Select the security level (high or low).
12-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection –Low—Default. SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Not enforced. SIP conformance: Do not perform state checking and header validation. –Medium SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No SIP conformance: Drop packets that fail state checking. –High SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Denied. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Enabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes SIP conformance: Drop packets that fail state checking and packets that fail header validation. –Default Level—Sets the security level back to the default. Details—Shows additional filtering, IP address privacy, hop count, RTP conformance, SIP conformance, field masking, and inspections settings to configure. Add/Edit SIP Policy Map (Details) Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Advanced View The Add/Edit SIP Policy Map pane lets you configure the security level and additional settings for SIP application inspection maps. Fields Name—When adding a SIP, enter the name of the SIP map. When editing a SIP map, the name of the previously configured SIP map is shown.
12-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection Description—Enter the description of the SIP map, up to 200 characters in length. Security Level—Shows the security level settings to configure Filtering—Tab that lets you configure the filtering settings for SIP. –Enable SIP instant messaging (IM) extensions—Enables Instant Messaging extensions. Default is enabled. –Permit non-SIP traffic on SIP port—Permits non-SIP traffic on SIP port. Permitted by default. IP Address Privacy—Tab that lets you configure the IP address privacy settings for SIP. –Hide server’s and endpoint’s IP addresses—Enables IP address privacy. Disabled by default. Hop Count—Tab that lets you configure the hop count settings for SIP. –Ensure that number of hops to destination is greater than 0—Enables check for the value of Max-Forwards header is zero. Action—Drop packet, Drop Connection, Reset, Log. Log—Enable or Disable. RTP Conformance—Tab that lets you configure the RTP conformance settings for SIP. –Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchange—Enforces payload type to be audio/video based on the signaling exchange. SIP Conformance—Tab that lets you configure the SIP conformance settings for SIP. –Enable state transition checking—Enables SIP state checking. Action—Drop packet, Drop Connection, Reset, Log. Log—Enable or Disable. –Enable strict validation of header fields—Enables validation of SIP header fields. Action—Drop packet, Drop Connection, Reset, Log. Log—Enable or Disable. Field Masking—Tab that lets you configure the field masking settings for SIP. –Inspect non-SIP URIs—Enables non-SIP URI inspection in Alert-Info and Call-Info headers. Action—Mask or Log. Log—Enable or Disable. –Inspect server’s and endpoint’s software version—Inspects SIP endpoint software version in User-Agent and Server headers. Action—Mask or Log. Log—Enable or Disable. Inspections—Tab that shows you the SIP inspection configuration and lets you add or edit. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the SIP inspection. –Value—Shows the value to match in the SIP inspection. –Action—Shows the action if the match condition is met. –Log—Shows the log state.
12-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection –Add—Opens the Add SIP Inspect dialog box to add a SIP inspection. –Edit—Opens the Edit SIP Inspect dialog box to edit a SIP inspection. –Delete—Deletes a SIP inspection. –Move Up—Moves an inspection up in the list. –Move Down—Moves an inspection down in the list. Add/Edit SIP Inspect Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Advanced View > Add/Edit SIP Inspect The Add/Edit SIP Inspect dialog box lets you define the match criterion and value for the SIP inspect map. Fields Single Match—Specifies that the SIP inspect has only one match statement. Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of SIP traffic to match. –Called Party—Match a called party as specified in the To header. –Calling Party—Match a calling party as specified in the From header. –Content Length—Match a content length header. –Content Type—Match a content type header. –IM Subscriber—Match a SIP IM subscriber. –Message Path—Match a SIP Via header. –Request Method—Match a SIP request method. –Third-Party Registration—Match the requester of a third-party registration. –URI Length—Match a URI in the SIP headers. Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
12-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified. –Greater Than Length—Enter a header length value in bytes. Content Type Criterion Values—Specifies to match a SIP content header type. –SDP—Match an SDP SIP content header type. –Regular Expression—Match a regular expression. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Request Method Criterion Values—Specifies to match a SIP request method. –Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update. Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
12-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection URI Length Criterion Values—Specifies to match a URI in the SIP headers greater than specified length. –URI type—Specifies to match either SIP URI or TEL URI. –Greater Than Length—Length in bytes. Multiple Matches—Specifies multiple matches for the SIP inspection. –SIP Traffic Class—Specifies the SIP traffic class match. –Manage—Opens the Manage SIP Class Maps dialog box to add, edit, or delete SIP Class Maps. Actions—Primary action and log settings. –Action—Drop packet, drop connection, reset, log. Note: Limit rate (pps) action is available for request methods invite and register. –Log—Enable or disable. Skinny (SCCP) Inspection This section describes SCCP application inspection. This section includes the following topics: SCCP Inspection Overview, page 12-32 Supporting Cisco IP Phones, page 12-33 Restrictions and Limitations, page 12-33 Select SCCP (Skinny) Map, page 12-34 SCCP (Skinny) Inspect Map, page 12-34 Message ID Filtering, page 12-35 Add/Edit SCCP (Skinny) Policy Map (Security Level), page 12-36 Add/Edit SCCP (Skinny) Policy Map (Details), page 12-37 Add/Edit Message ID Filter, page 12-38 SCCP Inspection Overview NoteFor specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified Communications architecture and supports IP phone deployment, see Chapter 17, “Configuring the Cisco Phone Proxy.”. Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals. The ASA supports PAT and NAT for SCCP. PAT is necessary if you have more IP phones than global IP addresses for the IP phones to use. By supporting NAT and PAT of SCCP Signaling packets, Skinny application inspection ensures that all SCCP signalling and media packets can traverse the ASA.
12-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration. The ASA also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. NoteThe ASA supports inspection of traffic from Cisco IP Phones running SCCP protocol version 19 and earlier. Supporting Cisco IP Phones NoteFor specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified Communications architecture and supports IP phone deployment, see Chapter 17, “Configuring the Cisco Phone Proxy.” In topologies where Cisco CallManager is located on the higher security interface with respect to the Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its configuration. An static identity entry allows the Cisco CallManager on the higher security interface to accept registrations from the Cisco IP Phones. Cisco IP Phones require access to a TFTP server to download the configuration information they need to connect to the Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry. When using NAT, an identity static entry maps to the same IP address. When using PAT, it maps to the same IP address and port. When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager, no ACL or static entry is required to allow the Cisco IP Phones to initiate the connection. Restrictions and Limitations The following are limitations that apply to the current version of PAT and NAT support for SCCP: PAT does not work with configurations containing the alias command. Outside NAT or PAT is not supported. If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address or port, registrations for external Cisco IP Phones fail because the ASA currently does not support NAT or PAT for the file content transferred over TFTP. Although the ASA supports NAT of TFTP messages and opens a pinhole for the TFTP file, the ASA cannot translate the Cisco CallManager IP address and port embedded in the Cisco IP Phone configuration files that are transferred by TFTP during phone registration. NoteThe ASA supports stateful failover of SCCP calls except for calls that are in the middle of call setup.
12-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Select SCCP (Skinny) Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SCCP Map The Select SCCP (Skinny) Map dialog box lets you select or create a new SCCP (Skinny) map. An SCCP (Skinny) map lets you change the configuration values used for SCCP (Skinny) application inspection. The Select SCCP (Skinny) Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default SCCP (Skinny) inspection map—Specifies to use the default SCCP (Skinny) map. Select an SCCP (Skinny) map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. Encrypted Traffic Inspection—Lets you specify TLS proxy settings for the inspect map. –Do not inspect Encrypted Traffic—Disables the inspection of Skinny application inspection. –Use Phone Proxy to enable inspection of encrypted traffic—Uses the Phone Proxy configured on the ASA to inspect Skinny application traffic. See Chapter 17, “Configuring the Cisco Phone Proxy.” –Use TLS Proxy to enable inspection of encrypted traffic—Specifies to use Transaction Layer Security Proxy to enable inspection of encryped traffic. TLS Proxy Name:—Name of existing TLS Proxy. New—Opens the Add TLS Proxy dialog box to add a TLS Proxy. SCCP (Skinny) Inspect Map Configuration > Global Objects > Inspect Maps > SCCP (Skinny) The SCCP (Skinny) pane lets you view previously configured SCCP (Skinny) application inspection maps. An SCCP (Skinny) map lets you change the default configuration values used for SCCP (Skinny) application inspection. Skinny application inspection performs translation of embedded IP address and port numbers within the packet data, and dynamic opening of pinholes. It also performs additional protocol conformance checks and basic state tracking. Fields SCCP (Skinny) Inspect Maps—Table that lists the defined SCCP (Skinny) inspect maps. Add—Configures a new SCCP (Skinny) inspect map. To edit an SCCP (Skinny) inspect map, choose the SCCP (Skinny) entry in the SCCP (Skinny) Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the SCCP (Skinny) Inspect Maps table. Security Level—Select the security level (high or low). –Low—Default. Registration: Not enforced. Maximum message ID: 0x181.