38-37
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 38 Configuring Inspection for Voice and Video Protocols
Skinny (SCCP) Inspection
Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP
inspection without any special configuration. The adaptive security appliance also supports DHCP
options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones
and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets
the default route.
Note The adaptive security appliance supports inspection of traffic from Cisco IP Phones running SCCP
protocol version 19 and earlier.
Supporting Cisco IP Phones
Note For specific information about setting up the Phone Proxy on the adaptive security appliance, which is
part of the Cisco Unified Communications architecture and supports IP phone deployment, see
Chapter 43, “Configuring the Cisco Phone Proxy.”.
In topologies where Cisco CallManager is located on the higher security interface with respect to the
Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static
as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its
configuration. An static identity entry allows the Cisco CallManager on the higher security interface to
accept registrations from the Cisco IP Phones.
Cisco IP Phones require access to a TFTP server to download the configuration information they need
to connect to the Cisco CallManager server.
When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use
an access list to connect to the protected TFTP server on UDP port 69. While you do need a static entry
for the TFTP server, this does not have to be an identity static entry. When using NAT, an identity static
entry maps to the same IP address. When using PAT, it maps to the same IP address and port.
When the Cisco IP Phones are on a higher security interface compared to the TFTP server and
Cisco CallManager, no access list or static entry is required to allow the Cisco IP Phones to initiate the
connection.
Restrictions and Limitations
The following are limitations that apply to the current version of PAT and NAT support for SCCP:
• PAT does not work with configurations containing the alias command.
• Outside NAT or PAT is not supported.
If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address
or port, registrations for external Cisco IP Phones fail because the adaptive security appliance currently
does not support NAT or PAT for the file content transferred over TFTP. Although the adaptive security
appliance supports NAT of TFTP messages and opens a pinhole for the TFTP file, the adaptive security
appliance cannot translate the Cisco CallManager IP address and port embedded in the Cisco IP Phone
configuration files that are transferred by TFTP during phone registration.
Note The adaptive security appliance supports stateful failover of SCCP calls except for calls that are in the
middle of call setup.
To Next Page
Loading...
Need help?
General
