Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS and NX-OS Software

Cisco IOS Firewall Support for TRP—Phase 1

Downloads

Table Of Contents

Cisco IOS Firewall Support for TRP—Phase 1

Finding Feature Information

Contents

Prerequisites for Firewall Support for TRP

Restrictions for Firewall Support for TRP

Information About Firewall Support for TRP

Cisco IOS Firewall

How Cisco IOS Firewall Supports TRP in a Voice Network

How to Configure a Firewall to Support TRP in Voice Networks

Configuring a Policy to Allow STUN Messages

Prerequisites

Configuring a Parameter Map for TRP Support

Configuration Examples for Firewall and TRP in a Voice Network

Cisco IOS Firewall Support of STUN Messages in Voice Network Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Firewall Support for TRP


Cisco IOS Firewall Support for TRP—Phase 1

First Published: October 13, 2008
Last Updated: October 13, 2008

To guarantee service and security, deployment of voice services over IP networks requires special handling of secondary channels within the network. When Trust Relay Points (TRPs) are implemented in voice networks, the networks must account for the following caveats when handling the opening of secondary channels

Networks do not always see the signaling messages. (The signaling messages are most likely encrypted.)

Networks that do see signaling messages cannot deep inspect the messages.

Networks use other means to learn about the media channels that are being negotiated and opened.

Consequently, transparent entities, such as the Cisco IOS Firewall, that are operating on the networks, must process media channels differently.

This feature enables Cisco IOS Firewall to process Simple Traversal of User Datagram Protocol (UDP) (STUN) messages. STUN messages open pinholes for secondary channels, which are necessary for implementation of TRPs in voice networks.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Firewall Support for TRP" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Firewall Support for TRP

Restrictions for Firewall Support for TRP

Information About Firewall Support for TRP

How to Configure a Firewall to Support TRP in Voice Networks

Configuration Examples for Firewall and TRP in a Voice Network

Additional References

Feature Information for Firewall Support for TRP

Prerequisites for Firewall Support for TRP

Before configuring STUN to open pin holes for data, ensure that the voice protocol control packets in your network are not blocked by the Cisco IOS firewall.

Restrictions for Firewall Support for TRP

Sessions opened by the firewall for STUN messages are expected to time out. (They cannot be manually closed.) The device that requested open pinholes sends keepalive messages every 15 seconds. If the device intends to close the pinhole, it stops sending keepalive messages. If the firewall does not receive two consecutive keepalive messages, it will close the session. In this current implementation, the firewall is completely dependent on the keepalives to close the session.

Currently, users need to configure different agent-IDs under a single parameter-map. If different agent-IDs are configured under two different parameter-maps and then the stun inspection of the two parameter-maps are out in the same policy-map (per the sample configuration below), the firewall will drop the packet. For example, if you are sending a packet with agent-id 21, the firewall would check the first class-map called "stun-ice" and then drop the packet because it did not find a match in that class map. 

parameter-map type protocol-info stun-ice cfd1 
 authorization agent-id 20 shared-secret 12345flower12345 cat-window 15 
 authorization agent-id 22 shared-secret 12345cisco54321 cat-window 15 
parameter-map type protocol-info stun-ice cfd2 
 authorization agent-id 21 shared-secret 12345flower54321 cat-window 15 

! 

class-map type inspect match-all stun-ice 
 match protocol stun-ice cfd1 
class-map type inspect match-any stun-ice1 
 match protocol stun-ice cfd2 
! 

policy-map type inspect policy_test 
 class type inspect class_1 
  pass 
 class type inspect sip_ctrl_channel 
  inspect  
 class type inspect stun-ice 
  inspect  
 class type inspect stun-ice1 
  inspect  
 class class-default 
  drop

Information About Firewall Support for TRP

Cisco IOS Firewall

How Cisco IOS Firewall Supports TRP in a Voice Network

Cisco IOS Firewall

The Cisco IOS firewall extends the concept of static access control lists (ACLs) by introducing dynamic ACL entries that open on the basis of the necessary application ports on a specific application and close these ports at the end of the application session. The Cisco IOS firewall achieves this functionality by inspecting the application data, checking for conformance of the application protocol, extracting the relevant port information to create the dynamic ACL entries, and closing these ports at the end of the session. The Cisco IOS firewall is designed to easily allow a new application inspection whenever support is needed.

How Cisco IOS Firewall Supports TRP in a Voice Network

The following information describes the deployment scenarios supported by the Cisco IOS Firewall without and without TRP present in a voice network:

For the Cisco IOS firewall that is running on a Cisco router without TRP, STUN packets are processed as regular passthrough packets. To open a pinhole for secondary channels, the firewall must be able to recognize the STUN packets.

For the Cisco IOS firewall that is running on a Cisco router with TRP (see Figure 1), the firewall will intercept and act and on the STUN packets that are sent from the TRP on its trunk side. Cisco IOS firewall validates the Cisco Proprietary Cisco Flow-Data information on the STUN packet and opens the data-channel pin-holes for voice traffic. The Cisco Flow-Data has information to authenticate that the message is from a valid TRP device.

The phone does not yet support STUN. If the firewall has to open pinholes between phones, TRP should send one-sided STUN messages addressed to each phone so the firewall can see the messages and open the pinholes. Without the support of STUN messages from TRP, the firewall would not ne able to open the necessary pinholes for the phones to communicate.

Figure 1

Architecture for Cisco IOS Firewall in a TRP Network Solution

How to Configure a Firewall to Support TRP in Voice Networks

Configuring a Policy to Allow STUN Messages

Configuring a Parameter Map for TRP Support

Configuring a Policy to Allow STUN Messages

Prerequisites

If the firewall is configured on the same device as the TRP, the STUN policy needs to be applied on the zone-pair between self and out zones.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type inspect [match any | match all] class-map-name

4. match protocol protocol-name stun-ice-parameter-map

5. exit

6. class-map type inspect [match any | match all] class-map-name

7. match access-group {access-group | name access-group-name}

8. match protocol protocol-name stun-ice-parameter-map

9. exit

10. policy-map type inspect policy-map-name

11. class type inspect class-name

12. inspect

13. exit

14. class type inspect class-name

15. inspect

16. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

class-map type inspect [match any | match all] class-map-name

Example:

Router(config)# class-map type inspect stun-traffic

Creates an inspect type class map and enters class-map configuration mode.

Step 4 

match protocol protocol-name stun-ice-parameter-map

Example:

Router(config-cmap)# match protocol stun-ice cfd1

Configures the match criteria for a class map on the basis of a specified protocol.

Step 5 

exit

Example:

Router(config-cmap)# exit

Exits class-map configuration mode.

Step 6 

class-map type inspect [match any | match all] class-map-name

Example:

Router(config)# class-map type inspect voice-control-traffic

Creates an inspect type class map and enters class-map configuration mode.

Step 7 

match access-group {access-group | name access-group-name}

Example:

Router(config-cmap)# match access-group 101

Configures the match criteria for a class map based on the ACL name or number.

Step 8 

match protocol protocol-name stun-ice-parameter-map

Example:

Router(config-cmap)# match protocol stun-ice cfd2

Configures the match criteria for a class map on the basis of a specified protocol.

Step 9 

exit

Example:

Router(config-cmap)# exit

Exits class-map configuration mode.

Step 10 

policy-map type inspect policy-map-name

Example:

Router(config)# policy-map type inspect voice-traffic

Creates an inspect type policy map and enters policy-map configuration mode.

Step 11 

class type inspect class-name

Example:

Router(config-pmap)# class type inspect voice-control-traffic

Specifies the traffic (class) on which an action is to be performed.

Step 12 

inspect

Example:

Router(config-pmap-c)# inspect

Enables Cisco IOS stateful packet inspection.

Step 13 

exit

Example:

Router(config-pmap-c)# exit

Exits policy-map-class configuration mode.

Step 14 

class type inspect class-name

Example:

Router(config-pmap)# class type inspect stun-traffic

Specifies the traffic (class) on which an action is to be performed.

Step 15 

inspect

Example:

Router(config-pmap-c)# inspect

Enables Cisco IOS stateful packet inspection.

Step 16 

exit

Example:

Router(config-pmap-c)# exit

Router(config-pmap)# exit

Exits policy-map-class and policy-map configuration mode.

Configuring a Parameter Map for TRP Support

SUMMARY STEPS

1. enable

2. configure terminal

3. parameter-map type inspect stun-ice parameter-map-name

4. authorization agent-id shared-secret password cat-window number

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

parameter-map type protocol-info stun-ice parameter-map-name

Example:

Router(config)# parameter-map type protocol-info stun-ice

Defines an application-specific parameter map and enters parameter-map type configuration mode.

Step 4 

authorization agent-id shared-secret password cat-window number

Example:

Router(config-profile)# authorization agent-id 20 shared-secret 12345flower12345 cat-window 15

Configures the credentials of more than one authorization agent in the same parameter-map and associates the same credentials with the filter that was set up via the match protocol stun-ice command.

Configuration Examples for Firewall and TRP in a Voice Network

Cisco IOS Firewall Support of STUN Messages in Voice Network Configuration: Example

Cisco IOS Firewall Support of STUN Messages in Voice Network Configuration: Example

The following example shows how to configure a Cisco IOS firewall policy to support STUN messages: 

parameter-map type protocol-info stun-ice abc1 

 authorization agent-id 10 password letmein CAT-window 3

class-map type inspect stun-traffic 

 match protocol stun-ice abc1

class-map type inspect voice-control-traffic 

 match access-group 101 

 match protocol udp

policy-map type inspect voice-traffic 

 class type inspect voice-control-traffic 

  inspect

 class type inspect stun-traffic

  inspect


access-list 101 permit ip 10.0.0.0 255.255.255.255 2.2.2.2 255.255.255.255


! Allow SIP control packets to ensure the Cisco IOS firewall does not open secondary 
! channels for media. 

! 

access-list 101 permit tcp any any eq 5060 
access-list 101 permit udp any any eq 5060 

! 

class-map type inspect voice-control-traffic 

 match access-group 101 

! 

policy-map type inspect policy_test 

 class type inspect voice-control-traffic 
  inspect

Additional References

The following sections provide references related to the Cisco IOS Firewall Support for TRP feature.

Related Documents

Related Topic
Document Title

Additional firewall commands

Cisco IOS Security Command Reference

Zone-based policy firewall

Zone-Based Policy Firewall


Standards

Standard
Title

none


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

None

 

Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Firewall Support for TRP

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 1 Feature Information for Firewall Support for TRP 

Feature Name
Releases
Feature Information

Cisco IOS Firewall Support for TRP—Phase 1

12.4(11)T

This feature enables Cisco IOS Firewall to process STUN messages. STUN messages open pinholes for secondary channels, which are necessary for implementation of TRPs in voice networks.

The following commands were introduced or modified: authorization agent-id, match protocol, parameter-map type


CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0807R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2008 Cisco Systems, Inc. All rights reserved.