Although the Security Appliance does support PAT and NAT for SCCP, it does have
limitations, including the following:
■ PAT will not work with configurations using the alias command.
■ Stateful failover of SCCP calls is not supported.
Example 19-2 Sample MGCP Configuration
PIXfirewall(config)# mgcp-map mgcp1
PIXfirewall(config-mgcp-map)# call-agent 10.1.1.30 101
PIXfirewall(config-mgcp-map)# call-agent 10.1.1.35 101
PIXfirewall(config-mgcp-map)# call-agent 10.1.1.12 102
PIXfirewall(config-mgcp-map)# call-agent 10.1.1.14 102
PIXfirewall(config-mgcp-map)# gateway 10.1.2.20 101
PIXfirewall(config-mgcp-map)# gateway 10.1.2.21 102
PIXfirewall(config-mgcp-map)# exit
PIXfirewall(config)# policy-map global_policy
PIXfirewall(config-pmap)# class inspection_default
PIXfirewall(config-pmap-c)# inspect mgcp mgcp1
PIXfirewall(config-pmap-c)# exit
Example 19-3 Assigning a New Port for SCCP Inspection
Pixfirewall(config)# class-map sccp_port
Pixfirewall(config-cmap)# match port tcp eq 2435
Pixfirewall(config-cmap)# exit
Pixfirewall(config)# policy-map voip_map
Pixfirewall(config-pmap)# class sccp_port
Pixfirewall(config-pmap-c)# inspect sccp
Pixfirewall(config-pmap-c)# exit
598 Chapter 19: IPS and Advanced Protocol Handling
■ Using the debug skinny command may delay sending messages, which can have a
performance impact in a real-time environment.
■ No support for fragmented SCCP messages is provided.
■ Outside NAT or PAT is not supported.
Security Appliance does not support NAT or PAT of the file content transferred using Trivial
File Transfer Protocol (TFTP), if the address of a Cisco CallManager server is configured for
NAT or PAT to a different address or port and outside phones register to it using TFTP. Even
though Security Appliance does support NAT of TFTP messages and opens holes for the
TFTP file to pass through the firewall, Security Appliance cannot translate the Cisco
CallManager IP address and port embedded in the Cisco IP Phone’s configuration files that
are transferred using TFTP during phone registration.
SIP
SIP, RFC 2543, is a signaling protocol for Internet conferencing, telephony, presence, events
notification, and instant messaging. SIP was developed in the mid-1990s by the Internet
Engineering Task Force (IETF) as a real-time communication protocol for IP voice, and it has
expanded into video and instant-messaging applications. SIP works with Session Description
Protocol (SDP), RFC 2327, for call signaling. SDP specifies the ports for the media stream.
Using SIP, the Security Appliance can support any SIP VoIP gateways and VoIP proxy servers.
To support SIP calls through the Security Appliance, signaling messages for the media
connection addresses, media ports, and embryonic connections for the media must be
inspected, because although the signaling is sent over a well-known destination port (UDP/
TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in
the user data portion of the IP packet. SIP inspection applies NAT for these embedded IP
addresses.
Application inspection for SIP is enabled by default, using the inspect sip command. You can
use the class-map command to change the default TCP port assignment for SIP. You can use
the show conn state sip command to view all active SIP connections.
Application Inspection
Hackers use several methods to cause network service disruption. Denial of service (DoS) is
a popular way of causing network disruption. Cisco Security Appliance has some attack
mitigation features to combat against some of the following attacks:
NOTE Cisco IP Phones need to reregister with the Cisco CallManager to establish calls
through the Security Appliance if the clear xlate command is entered. This is because the
xlates for the Cisco CallManager are permanently deleted.