Guest

Cisco Unified Border Element

ASA 8.0.4/8.2.1 and CUBE Configuration to Allow Video Calls to Internet Based Video Endpoints

Cisco - ASA 8.0.4/8.2.1 and CUBE Configuration to Allow Video Calls to Internet Based Video Endpoints

Document ID: 110942

Updated: Oct 14, 2009

   Print

Introduction

This document provides information on how to utilize the Adaptive Security Appliance (ASA) and the Cisco Unified Border Element (CUBE) to facilitate video calls to Internet based video endpoints.

Prerequisites

Requirements

There are no specific requirements for this document.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

This document addresses utilizing the ASA and the CUBE to facilitate video calls to Internet based video endpoints. Video calls are initiated from video endpoints hanging off the CUBE when the CUBE is deployed on the DMZ interface of the ASA.

Note: This addresses a configuration finding with respect to NAT on the ASA when CUBE is deployed on the DMZ. Testing showed that this situation does not impact networks where the CUBE is deployed on the inside interface of the ASA.

This is the generic network topology which should be referenced throughout this document:

asa-cube-ibve-01.gif

When utilizing video devices from any interface other than the Inside interface and initiating a video session outbound (through the Outside interface), a number of configuration caveats must be observed in order for a video session to function properly from these interfaces.

There is a condition that occurs where the ASA 8.0.4 and 8.2.1, h.323 engine will utilize the configured “Global PAT” address in the CS Setup packet field “sourceCallSignalAddress” when a video session is initiated from a “DMZ” interface while an overlapping static NAT is configured from the Inside interface to that DMZ interface. This condition does not effect video sessions initiated from the Inside to the Outside using a host Static NAT, while the below line is in place.

Static (inside,DMZ) 172.20.0.0 172.20.0.0 netmask 255.255.0.0

To further illustrate this issue, the next screenshot indicates that the IP address contained in the “sourceCallSignalAddress” field does not match the sender’s IP address (configured Static NAT for this device). Instead the IP address belongs to the Global PAT address that is configured.

This breaks a video session.

asa-cube-ibve-02.gif

The static NAT translation statement for the device as configured is as follows:

static (dmz,outside) 192.168.143.152 172.20.220.20 netmask 255.255.255.255

Where 172.20.220.0/24 is the network utilized for the DMZ interface. This IP space overlaps with the following:

Static (inside,DMZ) 172.20.0.0 172.20.0.0 netmask 255.255.0.0

Overlapping Static NAT does not effect Inside Video Sessions.

asa-cube-ibve-03.gif

In this screenshot, a video session utilizing the same Static NAT translation that was used in the previous example that originated from the DMZ Interface is seen.

static (dmz,outside) 192.168.143.152 172.20.15.20 netmask 255.255.255.255

As indicated in the above screenshot, the sourceCallSignalAddress matches the sender’s IP address and is properly translated by the h.323 engine. The summarized overlapping Static NAT statement does not effect video sessions initiated and sourced from the Inside network interface.

Workaround

In order to properly initiate video sessions from a DMZ interface requires that the IP address either be completely different from the Inside network spaces used, for example in this case not part of the 172.20.0.0/16 address space; or be excluded via the static NAT translations from the Inside to the DMZ.

For example:

static (inside,dmz) 172.20.0.0 172.20.0.0 netmask 255.255.128.0 
static (inside,dmz) 172.20.128.0 172.20.128.0 netmask 255.255.192.0 
static (inside,dmz) 172.20.192.0 172.20.192.0 netmask 255.255.240.0 
static (inside,dmz) 172.20.208.0 172.20.208.0 netmask 255.255.248.0 
static (inside,dmz) 172.20.216.0 172.20.216.0 netmask 255.255.252.0 
static (inside,dmz) 172.20.222.0 172.20.222.0 netmask 255.255.255.0 
static (inside,dmz) 172.20.223.0 172.20.223.0 netmask 255.255.255.0 
static (inside,dmz) 172.20.224.0 172.20.224.0 netmask 255.255.224.0

These static NAT statements comprise the entire 172.20.0.0/16 space with the exception of the 172.20.220.0/24 space.

It is essential as part of the design where a Video Proxy device such as the CUBE is placed in a DMZ environment, that overlapping statics be taken into account.

Cisco development test advises that this is not a bug or abnormal behavior for this configuration and is developed by design.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Oct 14, 2009
Document ID: 110942