13-18
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
Once the final handshake is made, the call state is moved to active and the
signaling connection will
remain until a BYE message is received.
If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface
to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified
in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside
interface will not traverse the FWSM, unless the FWSM
configuration specifically allows it.
The media connections are torn down within two minutes after the connection becomes idle. This is,
however, a configurable timeout and can be set for a shorter or longer period of time. See the timeout
command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module
Command Reference.
Skinny Inspection Engine
Enabled by default for TCP port 2000
Skinny (or Simple) Client Control Protocol (SCCP) is a protocol used in VoIP networks.
To configure the Skinny inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol skinny [
port
[-
port
]]
The default port is 2000 (TCP).
This section includes the following topics:
• Skinny Overview, page 13-18
• Problems with Fragmented Skinny Packets, page 13-19
Skinny Overview
Cisco IP Phones using Skinny can coexist with an H.323 environment. When used with
Cisco CallManager, the Skinny client can interoperate with H.323-compliant terminals. The FWSM
ensures that all SCCP signalling and media packets can traverse the FWSM by providing NAT of the
SCCP Signaling packets. This inspection engine does not support NAT between same security interfaces.
There are 5 versions of the SCCP protocol supported: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2.
The FWSM supports DHCP options 150 and 66, which allow the FWSM to send the location of a TFTP
server to Cisco IP Phones and other DHCP clients. The TFTP server provides the address of the
Cisco CallManager for the Cisco IP Phones. For further information about this feature, see the
“Configuring the DHCP Server” section on page 8-19. If the Cisco CallManager is on a higher security
interface, which requires NAT for the Cisco CallManager IP address, and you configure the TFTP server
to serve a file with the local untranslated address of the Cisco CallManager, then the Cisco IP Phones
cannot contact the Cisco CallManager. We recommend that you use the Cisco CallManager name instead
of the IP address, and rely on the DNS server to provide the correct address. If the DNS server is also on
the higher security interface, the FWSM can use the DNS inspection engine to translate the address
inside the DNS response.
If you enter the clear xlate command after PAT translations are created for Cisco CallManager, Skinny
calls cannot be established because the translations for the Cisco CallManager are permanently deleted.
Under these circumstances, Cisco IP Phones need to reregister with the Cisco CallManager to establish
calls through the FWSM.
To Next Page
Loading...
Need help?
General