Supporting Cisco Ip Phones; Limitations For Sccp Inspection; Default Sccp Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 14
Inspection for Voice and Video Protocols
Supporting Cisco IP Phones
In topologies where Cisco CallManager is located on the higher security interface with respect to the
Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static
as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its
configuration. An static identity entry allows the Cisco CallManager on the higher security interface to
accept registrations from the Cisco IP Phones.
Cisco IP Phones require access to a TFTP server to download the configuration information they need
to connect to the Cisco CallManager server.
When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use
an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for
the TFTP server, this does not have to be an identity static entry. When using NAT, an identity static entry
maps to the same IP address. When using PAT, it maps to the same IP address and port.
When the Cisco IP Phones are on a higher security interface compared to the TFTP server and
Cisco CallManager, no ACL or static entry is required to allow the Cisco IP Phones to initiate the
connection.
Limitations for SCCP Inspection
SCCP inspection is tested and supported for Cisco Unified Communications Manager (CUCM) 7.0, 8.0,
8.6, and 10.5. It is not supported for CUCM 8.5, or 9.x. SCCP inspection might work with other releases
and products.
If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address
or port, registrations for external Cisco IP Phones fail because the ASA currently does not support NAT
or PAT for the file content transferred over TFTP. Although the ASA supports NAT of TFTP messages
and opens a pinhole for the TFTP file, the ASA cannot translate the Cisco CallManager IP address and
port embedded in the Cisco IP Phone configuration files that are transferred by TFTP during phone
registration.
The ASA supports stateful failover of SCCP calls except for calls that are in the middle of call setup.
Note
Default SCCP Inspection
SCCP inspection is enabled by default using these defaults:
•
•
•
•
•
•
Also note that inspection of encrypted traffic is not enabled. You must configure a TLS proxy to inspect
encrypted traffic.
Registration: Not enforced.
Maximum message ID: 0x181.
Minimum prefix length: 4
Media timeout: 00:05:00
Signaling timeout: 01:00:00.
RTP conformance: Not enforced.
Cisco ASA Series Firewall CLI Configuration Guide
Skinny (SCCP) Inspection
14-31
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
