Professional Documents
Culture Documents
Sample Configuration for Cisco Adaptive Security Appliance 5520 to interoperate with Avaya SIP IP Telephones using Network Address Translation Issue 1.0
Abstract
These Application Notes describe the steps for configuring the Cisco Adaptive Security Appliance (ASA) 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones using Network Address Translation (NAT). SIP Application Inspection functionality enabled on the ASA 5520 manages the dynamically opening and closing of the UDP ports needed by media traffic.
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
1 of 15 ASA-SIP-Stn
1. Introduction
These Application Notes describe a sample configuration for configuring the Cisco ASA 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones registering with Avaya SIP Enablement Server (SES). The ASA 5520 serves as a consolidated platform for VPN gateway and firewall. These Application Notes focus on the SIP support of the firewall functionality.
2. Overview
The Cisco ASA 5520 is a firewall device capable of supporting a comprehensive set of security features such as firewalling, SSL/IPsec VPN termination, and intrusion prevention. The ASA 520 shown in Figure 1 is configured as a firewall to interoperate with Avaya SIP Enablement Server (SES) and Avaya SIP IP Telephones. The SIP Application Inspection feature of the ASA 5520 will dynamically open and close the necessary UDP ports needed for media traffic. In addition, Network Address Translation is deployed to hide the actual internal IP address from the untrusted network. Both Static and Dynamic NAT method are employed in the sample network. Avaya SES and download server are Statically NATed while media traffic to and from Avaya IP Telephones are dynamically NATed to a pool of IP addresses belonging to the Untrusted IP network.
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
2 of 15 ASA-SIP-Stn
3. Configuration
Figure 1 illustrates the configuration used in these Application Notes. All Avaya IP Telephones are registered with Avaya Communication Manager connected to the 172.28.10.0/24 IP network. All Avaya IP Telephones are assigned to the same IP network region within Avaya Communication Manager. All Avaya IP Telephones obtains their IP address from the DHCP server. All Avaya 9600 Series IP Telephones located in the Untrusted IP network are configured for non-Avaya environment and to use UDP as their transport protocol for signaling.
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
3 of 15 ASA-SIP-Stn
no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 172.16.254.115 255.255.255.0 management-only ! # # -------------------------------------------------------# ----------- CONFIGURE USER FRIENDLY NAME --------------# ------------- TO FACILITATE REFERENCING ---------------# -------------------------------------------------------# ----- 172.29.99.0 is the Untrust side IP network ------# ----- 172.29.99.10 is the NAT address for Avaay SES ---# -- 172.29.99.12 is the NAT address for download server # -------------------------------------------------------# names name 172.28.10.12 download-Srvr name 172.28.10.10 Avaya-SES name 172.29.99.0 Voice-network name 172.29.99.12 Outside-Dn-Srvr name 172.29.99.10 Outside-Avaya-SES dns-guard ! # # -------------------------------------------------------# ------------- CONFIGURE ACCESS LIST -------------------# -------------------------------------------------------# ---------- The following 3 rules are used -------------# --- 1st rule allows download of firmware and --- # # --------- configuration from download server ----------# --- 2nd rule allows Avaya IP Telephone -------------- # # ------- to register with Avaya Communication Manager --# --- 3rd rule allows SIP signaling to/from CLANs ---- #m # -------------------------------------------------------# ---- RTP port for Avaya IP Telephone traffic will -----# --- be dynamically opened and closed by the ASA 5520 --# ----------- therefore no access list is needed --------# -------------------------------------------------------#
# # # # # # # #
# # # # # # # # # # #
access-list Untrust_access_in extended permit tcp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq 411 log access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq tftp access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Avaya-SES eq sip log access-list Untrust_access_in extended deny ip any any log access-list Untrust_access_in extended permit icmp any any log inactive # # -------------------------------------------------------- # AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved. 5 of 15 ASA-SIP-Stn
# -------------------- CONFIGURE NAT --------------------- # # -------------------------------------------------------- # # ---- Configure a pool of IP address for dynamic NAT ---- # # ------------------------- and -------------------------- # # ----- static NAT for Avaya SES and download server ----- # # -------------------------------------------------------- # # nat-control global (Untrust) 1 172.29.99.41-172.29.99.45 netmask 255.255.255.0 nat (172.29.5.X) 1 172.28.10.0 255.255.255.0 nat (management) 0 0.0.0.0 0.0.0.0 static (172.29.5.X,Untrust) Outside-Avaya-SES Avaya-SES netmask 255.255.255.255 static (172.29.5.X,Untrust) Outside-Dn-Srvr download-Srvr netmask 255.255.255.255 # # -------------------------------------------------------- # # ------------------- CONFIGURE ROUTING ------------------ # # -------------------------------------------------------- # # route 172.29.5.X 172.29.0.0 255.255.0.0 172.29.5.1 1 route 172.29.5.X 172.28.0.0 255.255.0.0 172.29.5.1 1 # # -------------------------------------------------------- # # ----------------- CONFIGURE DHCP RELAY ----------------- # # -------------------------------------------------------- # # dhcprelay server download-Srvr 172.29.5.X dhcprelay enable Untrust ! # # -------------------------------------------------------- # # --------- BELOW IS THE DEFAULT CONFIGURATION FOR ------- # # ------- CLASS-MAP, POLICY-MAP, AND SERVICE-POLICY------- # # ------------ SHOWN FOR ILLUSTRATION PURPOSE ------------ # # --------- VERIFY INSPECT SIP MUST BE INCLUDED ---------- # # -------------------------------------------------------- # # access-group Untrust_access_in in interface Untrust
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 siptimeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved. 6 of 15 ASA-SIP-Stn
class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:b61b906e869db6c1f417f9e139425851 : end
Note that the IP address for TFTPSRVR, and HTTPSRVR are that of the translated IP address and not the real IP address of the download server.
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
7 of 15 ASA-SIP-Stn
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
8 of 15 ASA-SIP-Stn
8. Verification
The following steps may be used to verify the configuration: 1. Use the show sip command on the Cisco ASA 5520 to view the status of SIP messaging passing through the firewall. a. Show sip command output captured during Avaya 9630 IP Telephone registration.
InteropASA# show sip Total: 4 call-id 1_1a3c4a3e5a31386d5dff_R@172.29.99.50 CSeq: REGISTER From: sip:11103@interop.com;9d69386d43c2386d5dff_F172.29.99.50 To: sip:11103@interop.com;1DBFE3556F5A4E196F26FFDAF8BCD926122641955624858 state Call init, timeout 0:03:00 idle 0:00:05 Transaction State Timeout Idle Cseq 2 REGISTER Transaction Proceeding0:03:00 0:00:05 call-id 1_30e16460b38d386d74de_S@172.29.99.50 CSeq: NOTIFY From: sip:11103@interop.com;fssUA_187907935-5155 To: sip:11103@interop.com;1386d43fc386d74de_F172.29.99.50 state Call init, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Cseq 14 NOTIFY Transaction Proceeding0:03:00 Cseq 13 NOTIFY Transaction Proceeding0:03:00 call-id 1_1a41-5f097115386d5e18_S@172.29.99.50 CSeq: SUBSCRIBE From: sip:11103@interop.com;-120ca386d43c2-8_F172.29.99.50 To: sip:11103@interop.com;fssUA_235398556-5155 state Active, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Cseq 3 NOTIFY Transaction Proceeding0:03:00 Cseq 2 NOTIFY Transaction Proceeding0:03:00 AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
Cseq 2 SUBSCRIBE
Transaction Proceeding0:03:00
0:00:06
call-id 1_18c3301c071b386d5c94_S@172.29.99.50 CSeq: NOTIFY From: sip:11103@interop.com;fssUA_4124133585-5155 To: sip:11103@interop.com;-deda386d43be-8_F172.29.99.50 state Call init, timeout 0:03:00 idle 0:00:07 Transaction State Timeout Cseq 5 NOTIFY Transaction Proceeding0:03:00 Cseq 4 NOTIFY Transaction Proceeding0:03:00
b. Show sip command output captured during Avaya 4610SW IP Telephone registration.
InteropASA# show sip Total: 2 call-id 603817ce3863dca61ea35c1cf561e7b9@172.29.99.52 CSeq: SUBSCRIBE From: sip:11102@interop.com;1aa7a0be3a1cbf5 To: sip:11102@interop.com;fssUA_3628314560-5155 state Active, timeout 0:03:00 idle 0:00:03 Transaction State Timeout Cseq 3 NOTIFY Transaction Proceeding0:03:00 Cseq 2 NOTIFY Transaction Proceeding0:03:00 Cseq 718351984 SUBSCRIBE Transaction Proceeding0:03:00
call-id a5d49420c863d36d61eaee41d6ec248a@172.29.99.52 CSeq: REGISTER From: sip:11102@interop.com;6320fb0886e8a83 To: sip:11102@interop.com;1DBFE3556F5A4E196F26FFDAF8BCD926122641865424700 state Call init, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Idle Cseq 1751314095 REGISTER Transaction Proceeding0:03:00 0:00:04
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
10 of 15 ASA-SIP-Stn
c. Show sip command output captured during call establishment between Avaya 4610SW and Avaya 9640G IP Telephones.
InteropASA# show sip Total: 1 call-id 1a6b53e7044cf388c1c054e57d943df4@172.29.99.52 CSeq: INVITE From: sip:11102@interop.com;a7c87950fb25b87 To: sip:11107@interop.com;0c0943e6bedd12b2b4934aa6400 state Active, timeout 0:30:00 idle 0:00:01 Transaction State Timeout Cseq 1 INVITE Transaction Proceeding0:03:00 Cseq 509461248 INVITE Transaction Proceeding0:03:00 InteropASA#
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
11 of 15 ASA-SIP-Stn
9. Conclusion
These Application Notes described the administrative steps required to configure the Cisco ASA 5520 to support an Avaya VoIP solution consisting of Avaya SIP Enablement Server and Avaya 4600 and 9600 Series SIP IP Telephones in a NAT environment. The ASA 5520 correctly performed network address translation for Avaya SES and media traffic IP addresses in the sample network.
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
12 of 15 ASA-SIP-Stn
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
13 of 15 ASA-SIP-Stn
4. NAT configuration.
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
14 of 15 ASA-SIP-Stn
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
15 of 15 ASA-SIP-Stn