-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Firewall Support of Skinny Client Control Protocol (SCCP)
Prerequisites for Firewall Support of Skinny Client Control Protocol (SCCP)
Restrictions for Firewall Support of Skinny Client Control Protocol (SCCP)
Information About Firewall Support of Skinny Client Control Protocol (SCCP)
Context-Based Access Control Overview
CBAC and Skinny Functionality Overview
How to Configure Your Firewall for Skinny Support
Configuring Basic Skinny CBAC Inspection
Setting Skinny CBAC Session Timeouts
Configuring Port to Application Mapping
Verifying Cisco IOS Firewall for Skinny Support
Monitoring Cisco IOS Firewall for Skinny Support
Configuration Examples for Firewall Skinny Support
Firewall and Skinny Configuration Example
Firewall Support of Skinny Client Control Protocol (SCCP)
The Firewall Support of Skinny Client Control Protocol (SCCP) feature enables Context-Based Access Control (CBAC) inspection to support the Voice over IP (VoIP) protocol, Skinny Client Control Protocol (SCCP). That is, CBAC inspects Skinny control packets that are exchanged between a Skinny client and the Call Manager (CM); CBAC then configures the router (also known as the Cisco IOS Firewall) to enable the Skinny data channels to traverse through the router.
Feature Specifications for the Firewall Support of Skinny Client Control Protocol (SCCP) Feature
12.3(1)
This feature was introduced.
For platforms supported in Cisco IOS Release 12.3(1), consult Cisco Feature Navigator.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Firewall Support of Skinny Client Control Protocol (SCCP)
•
•
•
•
Prerequisites for Firewall Support of Skinny Client Control Protocol (SCCP)
The Skinny inspection module is part of the inspection subsystem; thus, your router must be running an image that has firewall support.
Restrictions for Firewall Support of Skinny Client Control Protocol (SCCP)
This feature has the following restrictions:
•
•
•
This feature does not support the following Skinny and firewall configurations:
•
•
Information About Firewall Support of Skinny Client Control Protocol (SCCP)
To configure the Firewall Support of SCCP feature, you must understand the following concepts:
•
•
Context-Based Access Control Overview
CBAC extends the concept of static access control lists (ACLs) by introducing dynamic ACL entries that open the necessary application ports on the basis of a specific application and close these ports at the end of the application session. CBAC achieves this functionality by inspecting the application data, checking for conformance of the application protocol, extracting the relevant port information to create the dynamic ACL entries, and closing these ports at the end of the session. CBAC is designed to easily allow a new application inspection whenever support is needed.
Skinny Overview
Skinny enables voice communication between two Skinny clients through the use of a CM. Typically, the CM provides service to the Skinny clients on TCP Port 2000. Initially, a Skinny client connects to the CM by establishing a TCP connection; the client will also establish a TCP connection with a secondary CM, if available. After the TCP connection is established, the client will register with the primary CM, which will be used as the controlling CM until it reboots or there is a keepalive failure. Thus, the Skinny TCP connection between the client and the CM exists forever and is used to establish calls coming to or from the client. If a TCP connection failure is detected, the secondary CM is used. All data channels established with the previous CM remain active and will be closed after the end parties hang up the call.
Table 1 lists the set of messages that are necessary for the data sessions to open and close. Skinny inspection will examine the data sessions that are deemed for opening and closing the access list pin holes.
CBAC and Skinny Functionality Overview
Figure 1 depicts typical deployment solutions that are supported by CBAC inspection for Skinny. According to Figure 1, a firewall with Skinny inspection can be configured on Cisco IOS Router A, Cisco IOS Router B, or both routers, thereby addressing the following three scenarios:
•
•
•
Figure 1 CBAC Inspection for Skinny Sample Topology
How to Configure Your Firewall for Skinny Support
To configure a Cisco IOS Firewall for SCCP support, perform the following tasks:
•
•
•
•
•
Configuring Basic Skinny CBAC Inspection
Perform the following required steps to configure a basic Skinny CBAC configuration:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Setting Skinny CBAC Session Timeouts
Session timeouts are triggered when traffic is not seen on a particular session for a configured amount of time. (This value is configured via the ip inspect name command.) After the inactivity timeout is triggered, the firewall will clean up the session and deallocate all of the session data.
You must set the inactivity timeout value for Skinny to a greater value than the keepalive timeout value that is configured between the CM and Skinny clients. Otherwise, the Skinny connection may become inaccessible for inspection because the firewall might delete the session-related information due to inactivity.
After the inactivity timeout is triggered, the inspection module will send reset (RST packets) to both ends of the connection. Any data channels that are associated with the control channel will not be closed. After both end parties hang up, there will not be any traffic on the data channels and the connection will eventually timeout.
Note
Configuring Port to Application Mapping
By default, the Skinny inspection will inspect SCCP messages to or from the CM on TCP port 2000. If you prefer to configure the CM to use a different port, the port to application mapping (PAM) feature should be used to specify the desired port to the Cisco IOS firewall. Thus, the firewall will inspect the SCCP messages in the desired port and in port 2000. To configure the CM to use a different port via PAM, use the ip port-map command.
Prerequisites
Before you can configure PAM, you must first configure the steps in the section, "Configuring Basic Skinny CBAC Inspection."
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Verifying Cisco IOS Firewall for Skinny Support
To display active Skinny session information, perform the following optional steps:
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Monitoring Cisco IOS Firewall for Skinny Support
Note
To monitor debugging messages related to Skinny inspection, perform the following optional steps:
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for Firewall Skinny Support
This section provides the following configuration example:
•
Firewall and Skinny Configuration Example
Figure 2 Skinny and CBAC Configuration
The following is an example of how to configure a Cisco IOS firewall for Skinny support and includes PAM (see Figure 2):
! Define the name of the router as "CBAC-Firewall."!host CBAC-Firewall!! Create a DHCP server process to offer out 10.1.1.x addresses on the! inside network. Option 150 is used by Cisco IP phones as where to! look for their configuration file. A default router is required so that all! the IP phones can talk to networks other than just to the local 10.1.1.x.!ip dhcp pool localnetworknetwork 10.1.1.0 255.255.255.0option 150 ip 192.168.1.100default-router 10.1.1.1!! Prevent the DHCP server process from assigning 10.1.1.1 -.9 as an IP! address on the local network. This is done to hold the addresses .2 - .9 as static-! defined addresses.!ip dhcp excluded-address 10.1.1.1 10.1.1.9!! Define firewall rules to all Skinny traffic in/out along with TFTP! services.!ip inspect name fwout tftpip inspect name fwout skinny!! Prevent any traffic from coming in.!access-list 100 deny ip any any!interface ethernet 1ip access-group 100 inip inspect firewall outIf the CallManager is requiring Skinny registration to happen on port tcp/2100, you will still need the above configuration plus the following additional step.ip port map skinny port 2100Additional References
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
