Cisco IOS Firewall Support for TRP
First Published: October 13, 2008
Last Updated: October 2, 2009
To guarantee service and security, the deployment of voice services over IP networks requires special handling of secondary channels within the network. When Trust Relay Points (TRPs) are implemented in voice networks, the networks must account for the following caveats when handling the opening of secondary channels.
•Networks do not always see the signaling messages. (The signaling messages are most likely encrypted.)
•Networks that do see signaling messages cannot deep inspect the messages.
•Networks use other means to learn about the media channels that are being negotiated and opened.
Consequently, transparent entities, such as the Cisco IOS Firewall, that are operating on the networks, must process media channels differently.
This feature enables Cisco IOS Firewall to process Session Traversal Utilities for NAT (STUN). STUN messages open connections between ports for secondary channels, known as pinholes, which are necessary for implementation of TRPs in voice networks.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Firewall Support for TRP" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Firewall Support for TRP
•Restrictions for Firewall Support for TRP
•Information About Firewall Support for TRP
•How to Configure a Firewall to Support TRP in Voice Networks
•Configuration Examples for Firewall and TRP in a Voice Network
•Additional References
•Feature Information for Firewall Support for TRP
Prerequisites for Firewall Support for TRP
Before configuring STUN to open pinholes for data, ensure that the voice protocol control packets in your network are not blocked by the Cisco IOS Firewall.
Restrictions for Firewall Support for TRP
•You must configure different agent IDs under a single parameter map. If different agent IDs are configured under two different parameter maps and then the STUN inspection of the two parameter maps are out in the same policy map (per the sample configuration below), the firewall will drop the packet. For example, if you are sending a packet with agent ID 21, the firewall will check the first class map called "stun-ice" and then drop the packet because it did not find a match in that class map.
parameter-map type protocol-info stun-ice cfd1
authorization agent-id 20 shared-secret 12345flower12345 cat-window 15
authorization agent-id 22 shared-secret 12345cisco54321 cat-window 15
parameter-map type protocol-info stun-ice cfd2
authorization agent-id 21 shared-secret 12345flower54321 cat-window 15
class-map type inspect match-all stun-ice
match protocol stun-ice cfd1
class-map type inspect match-any stun-ice1
match protocol stun-ice cfd2
!
policy-map type inspect policy_test
class type inspect class_1
pass
class type inspect sip_ctrl_channel
inspect
class type inspect stun-ice
inspect
class type inspect stun-ice1
inspect
class class-default
drop
Information About Firewall Support for TRP
•Cisco IOS Firewall
•How Cisco IOS Firewall Supports TRP in a Voice Network
•How Cisco IOS Firewall Supports Partial SIP Inspection
•TRP Messages
Cisco IOS Firewall
The Cisco IOS Firewall extends the concept of static access control lists (ACLs) by introducing dynamic ACL entries that open on the basis of the necessary application ports on a specific application and close these ports at the end of the application session. The Cisco IOS Firewall achieves this functionality by inspecting the application data, checking for conformance of the application protocol, extracting the relevant port information to create the dynamic ACL entries, and closing these ports at the end of the session. The Cisco IOS Firewall is designed to easily allow a new application inspection whenever support is needed.
How Cisco IOS Firewall Supports TRP in a Voice Network
The following information describes the deployment scenarios supported by the Cisco IOS Firewall with TRP present in a voice network:
•For the Cisco IOS Firewall that is running on a Cisco router without TRP, STUN packets are processed as regular passthrough packets. To open a pinhole for secondary channels, the firewall must be able to recognize the STUN packets.
•For the Cisco IOS Firewall that is running on a Cisco router with TRP (Branch Office A in Figure 1), the firewall will intercept and act on the STUN packets that are sent from the TRP on its WAN side. Cisco IOS firewall validates the Cisco Proprietary Cisco Flow-Data information on the STUN packet and opens the data-channel pinholes for voice traffic. The Cisco Flow-Data has information to authenticate that the message is from a valid TRP device.
•The phones do not yet support STUN. If the firewall has to open pinholes between phones, TRP should send one-sided STUN messages addressed to each phone so the firewall can see the messages and open the pinholes. Without the support of STUN messages from TRP, the firewall would not be able to open the necessary pinholes for the phones to communicate.
Figure 1 Architecture for Cisco IOS Firewall in a TRP Network Solution
How Cisco IOS Firewall Supports Partial SIP Inspection
Cisco IOS Firewall TRP support enables Cisco IOS Firewall to process UDP STUN messages that open pinholes for secondary channels, which are necessary for implementation of TRPs in voice networks.
Previous implementations of Cisco IOS Firewall, SIP clients could negotiate with the server to dynamically open control channels on a port, which could not be supported using the access-group class map. In addition, SIP traffic was sent through the firewall without any protocol conformance checks.
To overcome these issues, Cisco IOS Firewall supports partial SIP inspection. This allows the SIP Application-level Gateway (ALG) to parse the entire SIP message, including the Session Description Protocol (SDP) part to check for protocol conformance, but does not allows SIP ALG to open pinholes for media information found in the SDP message. The STUN ALG is allowed to open the pinholes in the firewall.
Because partial SIP inspection decouples the media channel from the SIP control channel, SIP ALG can no longer depend on media channel inactivity to timeout the control sessions. Therefore, the SIP ALG implementation in this environment depends on the UDP timeout configured on the router. Because the default setting is low (30 seconds), you must set the UDP timeout value to a value slightly longer than the SIP call duration, when configuring the system.
Note In Cisco IOS Release 12.4(22)T, if you need to allow SIP control traffic, you must configure the match access-group filter. This filter allows SIP traffic to pass through the firewall without the protocol conformance check (Deep Packet Inspection).
TRP Messages
TRP uses the following message types to control how the Cisco IOS Firewall manages sessions:
•Keep-Alive messages
To keep the Cisco IOS Firewall media sessions active the TRP generates authenticated keep-alive messages which must be validated to keep the session open. The keep-alive messages are valid only for a configured length of time, which is configured on the call-control entity (CCE). The Cisco IOS Firewall must receive a new message within the configured time, otherwise it closes the pinhole. The keep-alive message has the Cryptographic Authentication Token (CAT) obtained from the CCE which must be validated by the Cisco IOS Firewall before the keep-alive message is accepted.
•Periodic Open messages
The CAT (obtained from the CCE) is valid only for the CAT-life seconds setting configured on the CCE. After that time TRP gets a new CAT and sends a new message with the new CAT. This periodic open message specifies the keys that the Cisco IOS Firewall uses to authenticate the keep-alive messages until the next new CAT is obtained. Therefore, if the Cisco IOS Firewall does not receive a new CAT with the time specified by the CAT-life seconds, the media session closes as it cannot authenticate any keep-alive messages.
•Close pinhole message
If the Cisco IOS Firewall receives a STUN message from TRP that indicates that a session should be active for 0 seconds (Seconds-Active = 0), it first validates the packet, then generates a syslog message and then allows the message to pass through the Cisco IOS Firewall so that other firewalls on the path can also see the message and close their session, finally it closes the session.
•STUN messages from a remote party
When TRP is configured on both the caller and the called side, the Cisco IOS Firewall receives 2 STUN messages for the same session. The Cisco IOS Firewall does not validate STUN messages from the remote party, instead it drops the packets and generates a syslog message.
How to Configure a Firewall to Support TRP in Voice Networks
•Configuring a Policy to Allow STUN Messages
•Configuring Maps to Allow Partial SIP Inspection
•Configuring a Parameter Map for TRP Support
Configuring a Policy to Allow STUN Messages
Perform this task to configure a policy to allow STUN messages.
Prerequisites
If the firewall is configured on the same device as the TRP, the STUN policy needs to be applied on the zone-pair between self and out zones.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect [match any | match all] class-map-name
4. match protocol stun-ice stun-ice-parameter-map
5. exit
6. class-map type inspect [match any | match all] class-map-name
7. match access-group {access-group | name access-group-name}
8. match protocol stun-ice stun-ice-parameter-map
9. exit
10. policy-map type inspect policy-map-name
11. class type inspect class-name
12. inspect
13. exit
14. class type inspect class-name
15. inspect
16. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
class-map type inspect [match any | match all] class-map-name
Router(config)# class-map type inspect stun-traffic |
Creates an inspect type class map and enters class-map configuration mode. |
Step 4 |
match protocol stun-ice stun-ice-parameter-map
Router(config-cmap)# match protocol stun-ice cfd1 |
Configures the match criteria for a class map on the basis of a specified protocol. |
Step 5 |
exit
Router(config-cmap)# exit |
Exits class-map configuration mode. |
Step 6 |
class-map type inspect [match any | match all] class-map-name
Router(config)# class-map type inspect voice-control-traffic |
Creates an inspect type class map and enters class-map configuration mode. |
Step 7 |
match access-group {access-group | name access-group-name}
Router(config-cmap)# match access-group 101 |
Configures the match criteria for a class map based on the ACL name or number. |
Step 8 |
match protocol stun-ice stun-ice-parameter-map
Router(config-cmap)# match protocol stun-ice cfd2 |
Configures the match criteria for a class map on the basis of a specified protocol. |
Step 9 |
exit
Router(config-cmap)# exit |
Exits class-map configuration mode. |
Step 10 |
policy-map type inspect policy-map-name
Router(config)# policy-map type inspect voice-traffic |
Creates an inspect type policy map and enters policy map configuration mode. |
Step 11 |
class type inspect class-name
Router(config-pmap)# class type inspect voice-control-traffic |
Specifies the traffic (class) on which an action is to be performed. |
Step 12 |
inspect
Router(config-pmap-c)# inspect |
Enables Cisco IOS stateful packet inspection. |
Step 13 |
exit
Router(config-pmap-c)# exit |
Exits policy map class configuration mode. |
Step 14 |
class type inspect class-name
Router(config-pmap)# class type inspect stun-traffic |
Specifies the traffic (class) on which an action is to be performed. |
Step 15 |
inspect
Router(config-pmap-c)# inspect |
Enables Cisco IOS stateful packet inspection. |
Step 16 |
exit
Router(config-pmap-c)# exit Router(config-pmap)# exit |
Exits policy map class and policy map configuration mode. |
Configuring Maps to Allow Partial SIP Inspection
Perform this task to define a parameter map that does not create or open a media channel when the parameter map is attached to the SIP class map.
Prerequisites
Because partial SIP inspection decouples the media channel from the SIP control channel, SIP ALG can no longer depend on media channel inactivity to timeout the control sessions. Therefore, the SIP ALG implementation in this environment depends on the UDP timeout configured on the router. Because the default setting is low (30 seconds), you must set the UDP timeout value to a value slightly longer than the SIP call duration, when configuring the system.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type protocol-info sip parameter-map-name
4. disable open-media-channel
5. exit
6. class-map type inspect class-map-name
7. match protocol sip parameter-map-name
8. exit
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
parameter-map type protocol-info sip parameter-map-name
Router(config)# parameter-map type protocol-info sip pmap-sip |
Defines a SIP-protocol-info parameter map and enters parameter map type configuration mode. |
Step 4 |
disable open-media-channel
Router(config-profile)# disable open-media-channel |
Prevents the creation of a media channel when this parameter map is attached to the SIP class map. |
Step 5 |
exit
Router(config-profile)# exit |
Exits parameter map type configuration mode. |
Step 6 |
class-map type inspect class-map-name
Router(config)# class-map type inspect cmap-sip-traffic |
Creates an inspect type class map and enters class-map configuration mode. |
Step 7 |
match protocol sip parameter-map-name
Router(config-cmap)# match protocol sip pmap-sip |
Configures the match criteria for a class map on the basis of a specified protocol. |
Step 8 |
exit
Router(config-cmap)# exit |
Exits class-map configuration mode. |
Configuring a Parameter Map for TRP Support
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type protocol-info stun-ice parameter-map-name
4. authorization agent-id shared-secret password cat-window number
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
parameter-map type protocol-info stun-ice parameter-map-name
Router(config)# parameter-map type protocol-info stun-ice abc1 |
Defines an application-specific parameter map and enters parameter map type configuration mode. |
Step 4 |
authorization agent-id shared-secret password cat-window number
Router(config-profile)# authorization agent-id 20 shared-secret 12345flower12345 cat-window 15 |
Configures the credentials of more than one authorization agent in the same parameter map and associates the same credentials with the filter that was set up via the match protocol stun-ice command. |
Configuration Examples for Firewall and TRP in a Voice Network
•Example: Cisco IOS Firewall Support of STUN Messages in Voice Network Configuration
Example: Cisco IOS Firewall Support of STUN Messages in Voice Network Configuration
The following example shows how to configure a Cisco IOS Firewall policy to support STUN messages:
parameter-map type protocol-info stun-ice abc1
authorization agent-id 10 password letmein CAT-window 3
class-map type inspect stun-traffic
match protocol stun-ice abc1
class-map type inspect voice-control-traffic
policy-map type inspect voice-traffic
class type inspect voice-control-traffic
class type inspect stun-traffic
access-list 101 permit ip 10.0.0.0 255.255.255.255 2.2.2.2 255.255.255.255
! Allow SIP control packets to ensure the Cisco IOS firewall does not open secondary
! channels for media.
access-list 101 permit tcp any any eq 5060
access-list 101 permit udp any any eq 5060
class-map type inspect voice-control-traffic
policy-map type inspect policy_test
class type inspect voice-control-traffic
inspect
Additional References
The following sections provide references related to the Cisco IOS Firewall Support for TRP feature.
Related Documents
Standards
MIBs
|
|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
Technical Assistance
|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |
Feature Information for Firewall Support for TRP
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 1 Feature Information for Firewall Support for TRP
|
|
|
Cisco IOS Firewall Support for TRP—Phase 1 |
12.4(11)T |
This feature enables Cisco IOS Firewall to process STUN messages. STUN messages open pinholes for secondary channels, which are necessary for implementation of TRPs in voice networks. The following commands were introduced or modified: authorization agent-id, match protocol, parameter-map type. |
Cisco IOS Firewall Support for TRP—Phase 2 |
15.0(1)M |
This feature enables Cisco IOS Firewall to perform partial SIP inspection and modifies some processes that were introduced in Phase 1. The following commands were introduced or modified: parameter-map type protocol-info, disable open-media-channel. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2008-2009 Cisco Systems, Inc. All rights reserved.