Configuring An Mgcp Inspection Policy Map For Additional Inspection Control - Cisco PIX 500 Series Configuration Manual

MGCP Inspection
•
MGCP inspection does not support the use of different IP addresses for MGCP signaling and RTP data.
Note
A common and recommended practice is to send RTP data from a resilient IP address, such as a loopback
or virtual IP address; however, the security appliance requires the RTP data to come from the same
address as MGCP signalling.

Configuring an MGCP Inspection Policy Map for Additional Inspection Control

If the network has multiple call agents and gateways for which the security appliance has to open
pinholes, create an MGCP map. You can then apply the MGCP map when you enable MGCP inspection
according to the
To create an MGCP map, perform the following steps:
To create an MGCP inspection policy map, enter the following command:
Step 1
hostname(config)# policy-map type inspect mgcp map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
To configure parameters that affect the inspection engine, perform the following steps:
Step 3
a.
b.
Note
c.
Cisco Security Appliance Command Line Configuration Guide
25-56
The port on which the call agent receives commands from the gateway. Call agents usually listen to
UDP port 2727.
"Configuring Application Inspection" section on page 25-5
To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
To configure the call agents, enter the following command for each call agent:
hostname(config-pmap-p)# call-agent ip_address group_id
Use the call-agent command to specify a group of call agents that can manage one or more gateways.
The call agent group information is used to open connections for the call agents in the group (other
than the one a gateway sends a command to) so that any of the call agents can send the response.
call agents with the same group_id belong to the same group. A call agent may belong to more than
one group. The group_id option is a number from 0 to 4294967295. The ip_address option specifies
the IP address of the call agent.
MGCP call agents send AUEP messages to determine if MGCP end points are present. This
establishes a flow through the security appliance and allows MGCP end points to register with
the call agent.
To configure the gateways, enter the following command for each gateway:
hostname(config-pmap-p)# gateway ip_address group_id
Chapter 25 Configuring Application Layer Protocol Inspection
OL-12172-03