Configure Advanced Protocol Inspection
Protocols required to support IP telephony

Voice over IP and multimedia standards supported by the PIX Security Appliance include H.323 Version 4, Session Initiation Protocol (SIP), Cisco Skinny Client Control Protocol (SCCP), and Media Gateway Control Protocol (MGCP), helping businesses secure deployments of a wide range of current and next-generation Voice over IP (VoIP) and multimedia applications.

The PIX Security Appliance also provide security services for Telephony Application Programming Interface (TAPI)-based and Java TAPI (JTAPI)-based applications when these applications use Computer Telephony Interface Quick Buffer Encoding (CTIQBE) as the network transport mechanism, such as the Cisco IP SoftPhone.

H.323
H.323 is more complicated than other traditional protocols because it uses two TCP connections and four to six UDP sessions for a single "call." Only one of the TCP connections goes to a well-known port. All the other ports are negotiated and are temporary. Furthermore, the content of the streams is far more difficult for firewalls to understand than with many other protocols because H.323 encodes packets using Abstract Syntax Notation, or ASN.1.

By default, the PIX Security Appliance inspects port 1720 connections for H.323 traffic. If there are network devices using ports other than the default ports, the class-map command is used to identify these other traffic flows with their different port numbers. Use no inspect h323 command to disable the inspection of traffic for H.323 connections. Supported H.323 applications are shown in Figure .

SIP
SIP is an application-layer control protocol used to set up and tear down multimedia sessions. These multimedia sessions include Internet telephony and similar applications. SIP uses RTP for media transport and RTCP for providing a Quality of Service (QoS) feedback loop . Using SIP, the PIX Security Appliance can support any SIP VoIP gateways and VoIP proxy servers.

To support SIP calls through the PIX Security Appliance, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. The inspect sip command can be used to enable or disable SIP support. SIP is a text-based protocol and contains IP addresses throughout the text. With the SIP inspection enabled, the PIX inspects the packets, and both NAT and PAT are supported.

By default, the PIX Security Appliance inspects port 5060 connections for SIP traffic. If there are network devices using ports other than the default ports, the class-map command can be used to identify these other traffic flows with their different port numbers. Use no inspect sip command to disable the inspection of traffic for SIP connections. The show conn state sip command can be used to display all active SIP connections.

SCCP
In PIX Security Appliance Software Versions 6.0 and higher, application handling supports SCCP, also known as skinny protocol. SCCP is used by Cisco IP Phones for VoIP call signaling . SCCP defines the set of messages that is needed for a Cisco IP Phone to communicate with the Cisco Call Manager for call setup. The IP Phone uses a randomly selected TCP port to send and receive SCCP messages. Call Manager listens for SCCP messages at TCP port 2000. SCCP uses RTP and RTCP for media transmissions. The media ports are randomly selected by the IP Phones.

Skinny protocol inspection enables the PIX Security Applinace to dynamically open negotiated ports for media sessions. SCCP support allows an IP Phone and Cisco Call Manager to be placed on separate sides of the security appliance.

Skinny protocol inspection is enabled by default to listen for SCCP messages on port 2000. If there are network devices using ports other than the default ports, the class-map command can be used to identify these other traffic flows with their different port numbers. Use the no inspect skinny command to disable the inspection of skinny protocol traffic.

CTIQBE
The TAPI and JTAPI are used by many Cisco VoIP applications. Cisco PIX Security Appliance Software Version 6.3 introduces support for a specific protocol, CTIQBE, which is used by Cisco TAPI Service Provider (TSP) to communicate with Cisco Call Manager. Support for this protocol is enabled by default.

By default, the PIX Security Appliance inspects port 2748 connections for CTIQBE traffic . If there are network devices using ports other than the default ports, the class-map command can be used to identify these other traffic flows with their different port numbers. Use no inspect ctiqbe command to disable the inspection of traffic for CTIQBE connections.

MGCP
Cisco PIX Security Appliance Software Version 6.3 introduces support for application inspection of the MGCP. MGCP is used for controlling media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Examples of media gateways are as follows:

  • Trunking gateway – Provides an interface between the telephone network and a VoIP network. Such gateways typically manage a large number of digital circuits.
  • Residential gateway – Provides a traditional analog (RJ-11) interface to a VoIP network. Examples of residential gateways include cable modem/cable set-top boxes, xDSL devices, and broadband wireless devices.
  • Business gateway – Provides a traditional digital PBX interface or an integrated soft PBX interface to a VoIP network. MGCP messages are transmitted over UDP.

To use MGCP, at least two ports typically need to be configured, one on which the gateway receives commands and one for the port on which the call agent receives commands. Normally, a call agent will send commands to port 2427, while a gateway will send commands to port 2727 . Audio packets are transmitted over an IP network using RTP. MGCP inspection enables the security appliance to securely open negotiated UDP ports for legitimate media connections through the security appliance. Neither NAT nor PAT is supported by Cisco PIX Security Appliance Software Version 6.3 or lower.


Web Links