Allow SIP through Cisco ASA 8.x

Well most likely you need to set up an inspection rule for SIP:


      
Cisco ASA 5500 Series Adaptive Security Appliances
PIX/ASA 7.x: Enable VoIP (SIP, MGCP, H323, SCCP) Services Configuration Example
Downloads

    * PIX/ASA 7.x: Enable VoIP (SIP, MGCP, H323, SCCP) Services Configuration Example

Document ID: 82446

Contents

    Introduction
    Prerequisites
          Requirements
          Components Used
          Related Products
          Conventions
    Background Information
          SIP
          MGCP
          H.323
          SCCP
    Configure
          Network Diagram for SIP
          Configurations for SIP
          Network Diagram for MGCP, H.323 and SCCP
          Configurations for MGCP
          Configurations for H.323
          Configurations for SCCP
    Verify
    Troubleshoot
    NetPro Discussion Forums - Featured Conversations
    Related Information

Introduction

This document describes how to allow the Voice over IP (VoIP) Protocols traffic on the outside interface and enable inspection for each protocol in the Cisco PIX/ASA Security Appliances.

These are the protocols:

    *

      Session Initiation Protocol (SIP)SIP is an application-layer control (signaling) protocol that creates, modifies, and terminates sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences.

      SIP, as defined by the Internet Engineering Task Force (IETF), enables VoIP calls. SIP works with Session Description Protocol (SDP) for call signalling. SDP specifies the details of the media stream. The security appliance can support any SIP (VoIP) gateways and VoIP proxy servers when SIP is used. SIP and SDP are defined in these RFCs:
          o

            SIP: Session Initiation Protocol, RFC 3261 leavingcisco.com
          o

            SDP: Session Description Protocol, RFC 2327 leavingcisco.com

      In order to support SIP calls through the security appliance, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected. This is because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies Network Address Translation (NAT) for these embedded IP addresses.

      Note: If a remote endpoint tries to register with a SIP proxy on a network protected by the security appliance, the registration fails under very specific conditions. These conditions are when Port Address Translation (PAT) is configured for the remote endpoint, the SIP registrar server is on the outside network, and when the port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server.
    *

      Media Gateway Control Protocol (MGCP)MGCP is a client-server call control protocol, built on centralized control architecture. All the dial plan information resides on a separate call agent. The call agent, which controls the ports on the gateway, performs call control. The gateway does media translation between the Public Switched Telephone Network (PSTN) and the VoIP networks for external calls. In a Cisco-based network, CallManagers function as the call agents.

      MGCP is an IETF standard that is defined in several RFCs, which includes 2705 leavingcisco.com and 3435 leavingcisco.com. Its capabilities can be extended by the use of packages that include, for example, the handling of dual-tone multifrequency (DTMF) tones, secure RTP, call hold, and call transfer.

      An MGCP gateway is relatively easy to configure. Because the call agent has all the call-routing intelligence, you do not need to configure the gateway with all the dial peers it would otherwise need. A downside is that a call agent must always be available. Cisco MGCP gateways can use Survivable Remote Site Telephony (SRST) and MGCP fallback to allow the H.323 protocol to take over and provide local call routing in the absence of a CallManager. In that case, you must configure dial peers on the gateway for use by H.323.
    *

      H.323H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, which includes H.323 v3 feature Multiple Calls on One Call Signaling Channel.

      With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance.

      These are the two major functions of H.323 inspection:
          o

            NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in PER encoding format, the security appliance uses an ASN.1 decoder to decode the H.323 messages.
          o

            Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
    *

      Skinny (or Simple) Client Control Protocol (SCCP)SCCP is a simplified protocol used in VoIP networks. Cisco IP Phones that use SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323-compliant terminals. Application layer functions in the security appliance recognize SCCP Version 3.3. The functionality of the application layer software ensures that all SCCP signaling and media packets can traverse the security appliance by providing NAT of the SCCP Signaling packets.

      There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2. The security appliance supports all versions through Version 3.3.2. The security appliance provides both PAT and NAT support for SCCP. PAT is necessary if you have limited numbers of global IP addresses for use by IP phones.

      Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration. The security appliance also supports DHCP options 150 and 66, which allow the security appliance to send the location of a TFTP server to Cisco IP Phones and other DHCP clients. Refer to Configuring DHCP, DDNS, and WCCP Services for more information.

Prerequisites
Requirements

This document assumes that the necessary VPN configuration is made on all the devices and works properly.

Refer to ASA/PIX: Security Appliance to an IOS Router LAN-to-LAN IPsec Tunnel Configuration Example in order to learn more about the VPN configuration.

Refer to PIX/ASA 7.x: Enable Communication Between Interfaces for more information on how to enable the communication between interfaces.
Components Used

The information in this document is based on the Cisco 5500 Series Adaptive Security Appliance (ASA) which runs software version 7.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products

This configuration can also be used with the Cisco 500 Series PIX Firewall which runs software version 7.x.
Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
SIP

SIP inspection NATs the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum. It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address/ports on which the endpoint should listen.

SIP inspection has a database with indices CALL_ID/FROM/TO from the SIP payload that identifies the call, as well as the source and destination. Contained within this database are the media addresses and media ports that were contained in the SDP media information fields and the media type. There can be multiple media addresses and ports for a session. RTP/RTCP connections are opened between the two endpoints using these media addresses/ports.

The well-known port 5060 must be used on the initial call setup (INVITE) message. However, subsequent messages might not have this port number. The SIP inspection engine opens signaling connection pinholes, and marks these connections as SIP connections. This is done for the messages to reach the SIP application and be NATed.

As a call is set up, the SIP session is considered in the transient state. This state remains until a Response message is received which indicates the RTP media address and port on which the destination endpoint listens. If there is a failure to receive the response messages within one minute, the signaling connection is torn down.

Once the final handshake is made, the call state is moved to active and the signaling connection remains until a BYE message is received.

If an inside endpoint initiates a call to an outside endpoint, a media hole is opened to the outside interface to allow RTP/RTCP UDP packets to flow to the inside endpoint media address and media port specified in the INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface will not traverse the security appliance, unless the security appliance configuration specifically allows it.

The media connections are torn down within two minutes after the connection becomes idle. This is a configurable timeout and can be set for a shorter or longer period of time.
MGCP

In order to use MGCP, you usually need to configure at least two inspect commands: one for the port on which the gateway receives commands, and one for the port on which the call agent receives commands. Normally, a call agent sends commands to the default MGCP port for gateways, 2427, and a gateway sends commands to the default MGCP port for call agents, 2727.

MGCP messages are transmitted over UDP. A response is sent back to the source address (IP address and UDP port number) of the command, but the response might not arrive from the same address as the command was sent to. This can occur when multiple call agents are used in a failover configuration and the call agent that received the command has passed control to a backup call agent, which then sends the response.
H.323

The H.323 collection of protocols collectively can use up to two TCP connection and four to six UDP connections. FastConnect uses only one TCP connection, and Reliability, Availability, and Serviceability (RAS) uses a single UDP connection for registration, admissions, and status.

An H.323 client can initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP.

H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 terminals do not use FastConnect, the security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages.

Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange. RTP uses the negotiated port number, while RTCP uses the next higher port number.

The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses these ports:

    *

      1718Gate Keeper Discovery UDP port
    *

      1719RAS UDP port
    *

      1720TCP Control Port

You must permit traffic for the well-known H.323 port 1720 for the H.225 call signaling. However, the H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the security appliance opens an H.225 connection based on inspection of the Admission Confirmation (ACF) message.

After the H.225 messages are inspected, the security appliance opens the H.245 channel and then inspects traffic sent over the H.245 channel. All H.245 messages that pass through the security appliance undergo H.245 application inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 messages.

The H.323 ITU standard requires that a Transport Protocol Data Unit Packet (TPKT) header, which defines the length of the message, precede the H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the security appliance must remember the TPKT length to process and decode the messages properly. For each connection, the security appliance keeps a record that contains the TPKT length for the next expected message.

If the security appliance needs to perform NAT on IP addresses in messages, it changes the checksum, the UUIE length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT is sent in a separate TCP packet, the security appliance proxy acknowledgments (ACKs) that TPKT and appends a new TPKT to the H.245 message with the new length.
SCCP

In topologies where Cisco CallManager is located on the higher security interface with respect to the Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its configuration. An identity static entry allows the Cisco CallManager on the higher security interface to accept registrations from the Cisco IP Phones.

Cisco IP Phones require access to a TFTP server in order to download the configuration information they need to connect to the Cisco CallManager server.

When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an access list in order to connect to the protected TFTP server on UDP port 69. While you do need a static entry for the TFTP server, this does not have to be an identity static entry. When NAT is used, an identity static entry maps to the same IP address. When PAT is used, it maps to the same IP address and port.

When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager, no access list or static entry is required to allow the Cisco IP Phones to initiate the connection.
Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.
Network Diagram for SIP

This section uses this network setup:

enable-voip-config1.gif
Configurations for SIP

This section uses these configurations:

The Security Appliance supports application inspection through the Adaptive Security Algorithm function. Through the stateful application inspection used by the Adaptive Security Algorithm, the Security Appliance tracks each connection that traverses the firewall and ensures that they are valid. The firewall, through stateful inspection, also monitors the state of the connection to compile information to place in a state table. With the use of the state table in addition to administrator-defined rules, filtering decisions are based on context that is established by packets previously passed through the firewall. The implementation of application inspections consists of these actions:

    *

      Identify the traffic.
    *

      Apply inspections to the traffic.
    *

      Activate inspections on an interface.

Configure Basic SIP Inspection

By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). Default application inspection traffic includes traffic to the default ports for each protocol. You can only apply one global policy. Therefore, if you want to alter the global policy, for example, to apply inspection to non-standard ports or to add inspections that are not enabled by default, you need to either edit the default policy or disable it and apply a new one. For a list of all default ports, refer to the Default Inspection Policy.

   1.  Issue the policy-map global_policy command.
          ASA5510(config)#policy-map global_policy
   2.  Issue the class inspection_default command.
          ASA5510(config-pmap)#class inspection_default
   3.  Issue the inspect sip command.
          ASA5510(config-pmap-c)#inspect sip

This was taken from this doc:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml#sip

But it sounds like you need a NAT translation as well.  Post your config and we can see what else you need.

Wow.  Didn't mean to post the WHOLE thing.. Thought I just grabbed the 3 steps!  ;)

Hi Ken,

Config attached, I had a look at the doc but not sure if it applys to my config,

The setup is 2 ISP failover / 8 VPN's / HW Failover .

----------
ASA Version 8.0(2)
!
hostname Firewall
domain-name domain.com
enable password ********* encrypted
names
name 192.168.1.3 Asterisk
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 80.80.80.80 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0 standby 192.168.1.251
!
interface Ethernet0/2
 nameif outsidebackup
 security-level 0
 ip address 89.89.89.89 255.255.255.192
!
interface Ethernet0/3
 shutdown
 nameif DMZ1
 security-level 0
 no ip address
!
interface Management0/0
 description LAN Failover Interface
!
passwd LvL0SMWbtsUGJcof encrypted
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup outsidebackup
dns server-group DefaultDNS
 name-server 80.1.1.1
 name-server 80.1.1.1
 name-server 80.1.1.1
 name-server 80.1.1.1
 name-server 192.168.1.50
 domain-name domain.com
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RTPPorts udp
 description RTPPorts
 port-object range 10000 20000
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 10.40.0.0 255.255.255.0
access-list access_internal_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list Lvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list wvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq https
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq 992
access-list inbound extended permit tcp any interface outside eq ssh
access-list inbound extended permit ip any host 192.168.1.29
access-list inbound extended permit udp any any eq isakmp
access-list inbound extended permit esp any any
access-list inbound extended permit ah any any
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host 80.93.2.242 eq https
access-list inbound extended permit tcp any interface outside eq 5500
access-list inbound extended permit tcp any host 80.93.2.240 eq www
access-list Cbackupvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Cvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list Wbackupvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list Lbackupvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list bvpn extended permit ip any 192.168.2.0 255.255.255.0
access-list bbackupvpn extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outsitebackup_access_in extended permit tcp any interface outsidebackup eq www
access-list outsitebackup_access_in extended permit udp any any eq isakmp
access-list outsitebackup_access_in extended permit esp any any
access-list outsitebackup_access_in extended permit ah any any
access-list outsitebackup_access_in extended permit icmp any any
access-list outsitebackup_access_in extended permit tcp any interface outsidebackup eq https
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.40.0.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging asdm informational
logging facility 16
mtu outside 1500
mtu inside 1500
mtu outsidebackup 1500
mtu DMZ1 1500
ip local pool VPNPOOL 172.16.2.1-172.16.2.50
failover
failover lan unit secondary
failover lan interface failover Management0/0
failover polltime unit 1 holdtime 3
failover polltime interface 3 holdtime 15
failover key *******
failover interface ip failover 172.16.254.254 255.255.255.0 standby 172.16.254.250
icmp unreachable rate-limit 1 burst-size 1
asdm location 172.16.2.0 255.255.255.0 outside
asdm location 192.168.2.0 255.255.255.0 outside
asdm location 192.168.5.0 255.255.255.0 outside
asdm location 192.168.1.48 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outsidebackup) 1 interface
nat (inside) 0 access-list access_internal_acl
nat (inside) 1 172.16.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp 83.83.83.83 4662 192.168.1.29 4662 netmask 255.255.255.255
static (inside,outside) tcp 83.83.83.83 4662 192.168.1.29 4662 netmask 255.255.255.255
static (outside,inside) udp 83.83.83.83 4672 192.168.1.29 4672 netmask 255.255.255.255
static (inside,outside) udp 83.83.83.83 4672 192.168.1.29 4672 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.51 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.103 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 992 192.168.1.1 992 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.24 www netmask 255.255.255.255
static (inside,outside) tcp interface 8001 192.168.1.243 8001 netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.70 5500 netmask 255.255.255.255
static (inside,outside) 80.80.80.1 192.168.1.29 netmask 255.255.255.255
static (inside,outside) 80.80.80.2 192.168.1.66 netmask 255.255.255.255
static (inside,outside) 80.80.80.3 192.168.1.50 netmask 255.255.255.255
access-group inbound in interface outside
access-group outsitebackup_access_in in interface outsidebackup
route outside 0.0.0.0 0.0.0.0 80.80.80.4 1 track 1
route outsidebackup 0.0.0.0 0.0.0.0 89.80.80.5 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.243 poll community prreilly version 2c
no snmp-server location
no snmp-server contact
snmp-server community prreilly
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sla monitor 123
 type echo protocol ipIcmpEcho 80.80.80.80 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 100 set transform-set myset
: end
--------------------------------------------------------

I excluded the VPN part.

Thanks, Joe

Joe did you have a global service policy applied?   It should be listed in the config at the bottom just below the VPN stuff.

So let me see if understand this.  You have a SIP box on the inside of your network that needs to connect to a SIP trunk that is on the outside and you need to handle traffic that could be originated from either side right?  So what is the box on the outside, and what is the box on the inside as far as IP addressing, and then I am assuming you want to translate the inside box to the ip address of the outside interface.  Is that correct?

But definitely let me see your global service policy.

I didn't mean to post that whole doc I just meant for you to see the last few lines which you definitely will need:

 1.  Issue the policy-map global_policy command.
          ASA5510(config)#policy-map global_policy
   2.  Issue the class inspection_default command.
          ASA5510(config-pmap)#class inspection_default
   3.  Issue the inspect sip command.
          ASA5510(config-pmap-c)#inspect sip

Yes thats correct Ken,

The SIP box it 192.168.1.3

The outside SIP registar is 194.213.29.100

I dont have a policy-map global_policy setup - When I enter "class inspection_default" i get ERROR: % class-map inspection_default not configured

That worked great Ken, Many Thanks for the help

But where the login and passwd input for multiple sip clients..

Is anybody s tell me how to create multiple sip register account from cisco asa and how can asterisk client pc can able to register  sip from cisco asa