ASA SIP STN

Avaya Solution & Interoperability Test Lab
Sample Configuration for Cisco Adaptive Security Appliance 5520 to interoperate with Avaya SIP IP Telephones using Network Address Translation Issue 1.0
Abstract
These Application Notes describe the steps for configuring the Cisco Adaptive Security Appliance (ASA) 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones using Network Address Translation (NAT). SIP Application Inspection functionality enabled on the ASA 5520 manages the dynamically opening and closing of the UDP ports needed by media traffic.
AL; Reviewed: SPOC 1/15/2009
Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
1 of 15 ASA-SIP-Stn
1. Introduction
These Application Notes describe a sample configuration for configuring the Cisco ASA 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones registering with Avaya SIP Enablement Server (SES). The ASA 5520 serves as a consolidated platform for VPN gateway and firewall. These Application Notes focus on the SIP support of the firewall functionality.
2. Overview
The Cisco ASA 5520 is a firewall device capable of supporting a comprehensive set of security features such as firewalling, SSL/IPsec VPN termination, and intrusion prevention. The ASA 520 shown in Figure 1 is configured as a firewall to interoperate with Avaya SIP Enablement Server (SES) and Avaya SIP IP Telephones. The SIP Application Inspection feature of the ASA 5520 will dynamically open and close the necessary UDP ports needed for media traffic. In addition, Network Address Translation is deployed to hide the actual internal IP address from the untrusted network. Both Static and Dynamic NAT method are employed in the sample network. Avaya SES and download server are Statically NATed while media traffic to and from Avaya IP Telephones are dynamically NATed to a pool of IP addresses belonging to the Untrusted IP network.
2 of 15 ASA-SIP-Stn
3. Configuration
Figure 1 illustrates the configuration used in these Application Notes. All Avaya IP Telephones are registered with Avaya Communication Manager connected to the 172.28.10.0/24 IP network. All Avaya IP Telephones are assigned to the same IP network region within Avaya Communication Manager. All Avaya IP Telephones obtains their IP address from the DHCP server. All Avaya 9600 Series IP Telephones located in the Untrusted IP network are configured for non-Avaya environment and to use UDP as their transport protocol for signaling.
Figure 1: Sample Network Configuration
3 of 15 ASA-SIP-Stn
4. Equipment and Software Validated

The following equipment and software/firmware were used for the sample configuration: DEVICE DESCRIPTION Avaya S8500 Server with G650 Media Gateway Avaya SIP Enablement Server Avaya 4621SW IP Telephone (SIP) Avaya 4610SW IP Telephone (SIP) Avaya 9630 IP Telephone (SIP) Avaya 9640G IP Telephone (SIP) Cisco Adaptive Security Appliance (ASA) 5520 VERSION TESTED R015x.00.0.825.4 SES-5.0.0.0-825.31 2.2.2 2.2.2 2.2 2.2 7.2(4)
5. Configure Cisco ASA 5520

This section describes the configuration for Cisco ASA 5520 as shown in Figure 1 using the Command Line Interface (CLI). It is assumed that the basic configuration needed to connect into the Cisco ASA 5520 has been completed. Annotation is shown between the blue # signs. Appendix A shows screen captures from Cisco Adaptive Security Device Manager (ASDM) for reference and illustration. 1. Log into the Cisco ASA 5520 and enter enable mode using appropriate credential. 2. Enter into configuration mode by typing configure terminal. 3. Below is the configuration for the ASA 5520.
# # -------------------------------------------------------- # # -------------- CONFIGURE INTERFACES -------------------- # # -------------------------------------------------------- # # interface GigabitEthernet0/0 nameif Untrust security-level 0 ip address 172.29.99.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif 172.29.5.X security-level 90 ip address 172.29.5.41 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved. 4 of 15 ASA-SIP-Stn
no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 172.16.254.115 255.255.255.0 management-only ! # # -------------------------------------------------------# ----------- CONFIGURE USER FRIENDLY NAME --------------# ------------- TO FACILITATE REFERENCING ---------------# -------------------------------------------------------# ----- 172.29.99.0 is the Untrust side IP network ------# ----- 172.29.99.10 is the NAT address for Avaay SES ---# -- 172.29.99.12 is the NAT address for download server # -------------------------------------------------------# names name 172.28.10.12 download-Srvr name 172.28.10.10 Avaya-SES name 172.29.99.0 Voice-network name 172.29.99.12 Outside-Dn-Srvr name 172.29.99.10 Outside-Avaya-SES dns-guard ! # # -------------------------------------------------------# ------------- CONFIGURE ACCESS LIST -------------------# -------------------------------------------------------# ---------- The following 3 rules are used -------------# --- 1st rule allows download of firmware and --- # # --------- configuration from download server ----------# --- 2nd rule allows Avaya IP Telephone -------------- # # ------- to register with Avaya Communication Manager --# --- 3rd rule allows SIP signaling to/from CLANs ---- #m # -------------------------------------------------------# ---- RTP port for Avaya IP Telephone traffic will -----# --- be dynamically opened and closed by the ASA 5520 --# ----------- therefore no access list is needed --------# -------------------------------------------------------#
# # # # # # # #
# # # # # # # # # # #
access-list Untrust_access_in extended permit tcp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq 411 log access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq tftp access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Avaya-SES eq sip log access-list Untrust_access_in extended deny ip any any log access-list Untrust_access_in extended permit icmp any any log inactive # # -------------------------------------------------------- # AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved. 5 of 15 ASA-SIP-Stn
# -------------------- CONFIGURE NAT --------------------- # # -------------------------------------------------------- # # ---- Configure a pool of IP address for dynamic NAT ---- # # ------------------------- and -------------------------- # # ----- static NAT for Avaya SES and download server ----- # # -------------------------------------------------------- # # nat-control global (Untrust) 1 172.29.99.41-172.29.99.45 netmask 255.255.255.0 nat (172.29.5.X) 1 172.28.10.0 255.255.255.0 nat (management) 0 0.0.0.0 0.0.0.0 static (172.29.5.X,Untrust) Outside-Avaya-SES Avaya-SES netmask 255.255.255.255 static (172.29.5.X,Untrust) Outside-Dn-Srvr download-Srvr netmask 255.255.255.255 # # -------------------------------------------------------- # # ------------------- CONFIGURE ROUTING ------------------ # # -------------------------------------------------------- # # route 172.29.5.X 172.29.0.0 255.255.0.0 172.29.5.1 1 route 172.29.5.X 172.28.0.0 255.255.0.0 172.29.5.1 1 # # -------------------------------------------------------- # # ----------------- CONFIGURE DHCP RELAY ----------------- # # -------------------------------------------------------- # # dhcprelay server download-Srvr 172.29.5.X dhcprelay enable Untrust ! # # -------------------------------------------------------- # # --------- BELOW IS THE DEFAULT CONFIGURATION FOR ------- # # ------- CLASS-MAP, POLICY-MAP, AND SERVICE-POLICY------- # # ------------ SHOWN FOR ILLUSTRATION PURPOSE ------------ # # --------- VERIFY INSPECT SIP MUST BE INCLUDED ---------- # # -------------------------------------------------------- # # access-group Untrust_access_in in interface Untrust
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 siptimeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved. 6 of 15 ASA-SIP-Stn
class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:b61b906e869db6c1f417f9e139425851 : end
6. Configuring DHCP Server

This section shows the configuration on the DHCP server. 1. In addition to configuring the address pool, three Scope Options are configured for use by Avaya IP Telephones. The Scope Options information is as follows. Option 3 176 242 Value 172.29.99.1 TFTPSRVR=172.29.99.12 HTTPSRVR=172.29.99.12
Note that the IP address for TFTPSRVR, and HTTPSRVR are that of the translated IP address and not the real IP address of the download server.
7 of 15 ASA-SIP-Stn
7. Configuring Avaya 9600 Series IP Telephone

This section describes the basic configuration for Avaya 9600 Series IP Telephones in this solution. For additional information on how to configure Avaya 9600 Series IP Telephone, please consult reference [4]. 1. Access the Avaya 9600 Series IP Telephone menu option by entering the password using the dialpad on the phone. 2. Select the SIP option and configure the following fields. a. Avaya Environment: No b. Transport Type: UDP 3. The following is the 46xxsettings.txt file used in the sample network. Notice the SIPPROXYSRVR, SIPREGISTRAR, MWISRVR, and FILESERVER all point to their respective NATed IP address.
SET SET SET SET SET SET SET SET SET SET SET SET SET SET SET SIPDOMAIN "interop.com" SIPPROXYSRVR "172.29.99.10" SIPREGISTRAR "172.29.99.10" MWISRVR "172.29.99.10 FILESERVER "172.29.99.12" DSTOFFSET "1" DSTSTART "1SunApr2L" DSTSTOP "LSunOct2L" GMTOFFSET "-5:00" DATESEPARATOR "-" DATETIMEFORMAT "1" CALLFWDSTAT "0" COVERAGEADDR "" DIALPLAN "11xxx" SIPPORT "5060"
8 of 15 ASA-SIP-Stn
8. Verification
The following steps may be used to verify the configuration: 1. Use the show sip command on the Cisco ASA 5520 to view the status of SIP messaging passing through the firewall. a. Show sip command output captured during Avaya 9630 IP Telephone registration.
InteropASA# show sip Total: 4 call-id 1_1a3c4a3e5a31386d5dff_R@172.29.99.50 CSeq: REGISTER From: sip:11103@interop.com;9d69386d43c2386d5dff_F172.29.99.50 To: sip:11103@interop.com;1DBFE3556F5A4E196F26FFDAF8BCD926122641955624858 state Call init, timeout 0:03:00 idle 0:00:05 Transaction State Timeout Idle Cseq 2 REGISTER Transaction Proceeding0:03:00 0:00:05 call-id 1_30e16460b38d386d74de_S@172.29.99.50 CSeq: NOTIFY From: sip:11103@interop.com;fssUA_187907935-5155 To: sip:11103@interop.com;1386d43fc386d74de_F172.29.99.50 state Call init, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Cseq 14 NOTIFY Transaction Proceeding0:03:00 Cseq 13 NOTIFY Transaction Proceeding0:03:00 call-id 1_1a41-5f097115386d5e18_S@172.29.99.50 CSeq: SUBSCRIBE From: sip:11103@interop.com;-120ca386d43c2-8_F172.29.99.50 To: sip:11103@interop.com;fssUA_235398556-5155 state Active, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Cseq 3 NOTIFY Transaction Proceeding0:03:00 Cseq 2 NOTIFY Transaction Proceeding0:03:00 AL; Reviewed: SPOC 1/15/2009 Solution & Interoperability Test Lab Application Notes 2009 Avaya Inc. All Rights Reserved.
Idle 0:00:04 0:00:04
Idle 0:00:04 0:00:05 9 of 15 ASA-SIP-Stn
Cseq 2 SUBSCRIBE
Transaction Proceeding0:03:00
0:00:06
call-id 1_18c3301c071b386d5c94_S@172.29.99.50 CSeq: NOTIFY From: sip:11103@interop.com;fssUA_4124133585-5155 To: sip:11103@interop.com;-deda386d43be-8_F172.29.99.50 state Call init, timeout 0:03:00 idle 0:00:07 Transaction State Timeout Cseq 5 NOTIFY Transaction Proceeding0:03:00 Cseq 4 NOTIFY Transaction Proceeding0:03:00
Idle 0:00:08 0:00:08
b. Show sip command output captured during Avaya 4610SW IP Telephone registration.
InteropASA# show sip Total: 2 call-id 603817ce3863dca61ea35c1cf561e7b9@172.29.99.52 CSeq: SUBSCRIBE From: sip:11102@interop.com;1aa7a0be3a1cbf5 To: sip:11102@interop.com;fssUA_3628314560-5155 state Active, timeout 0:03:00 idle 0:00:03 Transaction State Timeout Cseq 3 NOTIFY Transaction Proceeding0:03:00 Cseq 2 NOTIFY Transaction Proceeding0:03:00 Cseq 718351984 SUBSCRIBE Transaction Proceeding0:03:00
Idle 0:00:03 0:00:04 0:00:04
call-id a5d49420c863d36d61eaee41d6ec248a@172.29.99.52 CSeq: REGISTER From: sip:11102@interop.com;6320fb0886e8a83 To: sip:11102@interop.com;1DBFE3556F5A4E196F26FFDAF8BCD926122641865424700 state Call init, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Idle Cseq 1751314095 REGISTER Transaction Proceeding0:03:00 0:00:04
10 of 15 ASA-SIP-Stn
c. Show sip command output captured during call establishment between Avaya 4610SW and Avaya 9640G IP Telephones.
InteropASA# show sip Total: 1 call-id 1a6b53e7044cf388c1c054e57d943df4@172.29.99.52 CSeq: INVITE From: sip:11102@interop.com;a7c87950fb25b87 To: sip:11107@interop.com;0c0943e6bedd12b2b4934aa6400 state Active, timeout 0:30:00 idle 0:00:01 Transaction State Timeout Cseq 1 INVITE Transaction Proceeding0:03:00 Cseq 509461248 INVITE Transaction Proceeding0:03:00 InteropASA#
Idle 0:00:01 0:00:01
9. Conclusion
These Application Notes described the administrative steps required to configure the Cisco ASA 5520 to support an Avaya VoIP solution consisting of Avaya SIP Enablement Server and Avaya 4600 and 9600 Series SIP IP Telephones in a NAT environment. The ASA 5520 correctly performed network address translation for Avaya SES and media traffic IP addresses in the sample network.
10. Additional References

Product documentation for Avaya products may be found at http://support.avaya.com [1] Administrator Guide for Avaya Communication Manager, Doc # 03-300509, Issue 4.0, Release 5.0, January 2008 [2] Avaya Communication Manager Advanced Administration Quick Reference, Doc # 03-300364, Issue 4, Release 5.0, January 2008 [3] Administration for Network Connectivity for Avaya Communication Manager, Doc # 555-233-504, Issue 13, January 2008 [4] Avaya One-X Deskphone Edition for 9600 Series SIP IP Telephones Installation and Maintenance, Doc # 16-603159, Issue 1, September 2008 Product documentation for Cisco Systems products may be found at http://www.cisco.com [5] Cisco Security Appliance Command Line Configuration Guide, Software Version 7.0(4), Part Number: OL-6721-02
11. Appendix A ASDM screen captures

This section contains screen captures from Cisco Adaptive Security Device Manager (ASDM). These screen captures serves as illustration to the accompanying configuration shown in Section 5. 1. ASA 5520 interface configuration.
2. IP Names and Network Object Groups used in the configuration.
3. ASA 5520 firewall rules.
4. NAT configuration.
2009 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com

ASA SIP STN

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA SIP STN

Uploaded by

Copyright:

Available Formats

Avaya Solution & Interoperability Test Lab

AL; Reviewed: SPOC 1/15/2009

AL; Reviewed: SPOC 1/15/2009

Figure 1: Sample Network Configuration

AL; Reviewed: SPOC 1/15/2009

4. Equipment and Software Validated

5. Configure Cisco ASA 5520

6. Configuring DHCP Server

AL; Reviewed: SPOC 1/15/2009

7. Configuring Avaya 9600 Series IP Telephone

AL; Reviewed: SPOC 1/15/2009

Idle 0:00:04 0:00:04

Idle 0:00:04 0:00:05 9 of 15 ASA-SIP-Stn

Idle 0:00:08 0:00:08

Idle 0:00:03 0:00:04 0:00:04

AL; Reviewed: SPOC 1/15/2009

Idle 0:00:01 0:00:01

AL; Reviewed: SPOC 1/15/2009

10. Additional References

AL; Reviewed: SPOC 1/15/2009

11. Appendix A ASDM screen captures

2. IP Names and Network Object Groups used in the configuration.

3. ASA 5520 firewall rules.

AL; Reviewed: SPOC 1/15/2009

AL; Reviewed: SPOC 1/15/2009

2009 Avaya Inc. All Rights Reserved.

AL; Reviewed: SPOC 1/15/2009

You might also like