SNAA| Securing Networks with Cisco ASA Advanced Volume 4 Version 1.0 Student Guidewtfietes Sennett cisco. Bite, [DISCLAIMER WARRANTY; THIS CONTENT IS BEING PROVIDED "ASS" CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTIIER PROVISION OF [THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES. INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR, PURPOSE, OR ARISING FROM A COURSE OF DEALING. USAGE OR TRADE PRACTICE. This leaning prod uy conta early release [sont and while Cisco hives ito be acura, fll subj tothe selina Printed in CanadaTable of Contents Volume 4 Handling Multimedia Protocols At-1 Overview Att ‘Objectives A Multimedia Protocol Handling Overview AL RTSP Inspection Aa H.323 Inspection Ao SIP Inspection At-14 SCOP Inspection A119 CTIQBE Inspection 1-22 MGCP Inspection A124 Verifying Multimedia Support A127 Summary 1-38 Using Cisco ASA Multicast A241 Overview A24 ‘Objectives A241 Multicast A22 IGMP A268 PIM ADA Static Multicast Routing A216 Verify and Troubleshoot A2-19 Summary A224‘Securing Networks with ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neAppendix 1 Handling Multimedia Protocols Overview This appendix explains how the Cisco ASA adaptive security appliance handles multimedia protocols and shows how to configure multimedia protocol handling, Objectives This appendix i cludes these components Multimedia protocol handling capabilities of the Cisco ASA security appliance Configure RTSP inspection Configure H.323 inspection Configure SIP inspection Configure SCP inspection Configure CTIQBE inspection Configure MGCP inspection Verify and troubleshoot multimedia inspectionMultimedia Protocol Handling Overview This topic presents an overview of multimedia protocol handling. Why Multimedia Is an issue ‘Multimedia applications behave in unique ways: “They use dynamic pots Tepe vor icone a ieee sae y ‘The Cisco ASA secunty ape a re eg fi ~ Dynamically opens and ig ‘loses ports for secure = multimedia connections ee I ewe ~ Supports multimedia wth or Uorerter wanout NAT none Multimedia applications can transmit requests on TCP, get responses on User Datagram Protocol (UDP) or TCP, use dynamic ports, use the same port for source and destination, and so oon, Every application behaves in a different way. Implementing support for all multimedia applications using a single secure method is very difficult. Two examples of multimedia applications follow: = RealAudio: Sends the originating request to TCP port 7070. The RealAudio server replies with multiple UDP streams anywhere from UDP port 6970 through 7170 on the client machine. = Cisco IP phone: Sends the Skinny Client Control Protocol (SCCP) messages to the call manager on TCP port 2000. SCP uses Real-Time Transport Protocol (RTP) and RTP Control Protocol (RTCP) for media transmissions. The UDP media ports are randomly selected by the Cisco IP phone. ‘The Cisco ASA security appliance dynamically opens and closes UDP ports for secure multimedia connections. You do not need to open a large range of ports, which creates a security risk, nor do you have to reconfigure any application clients. Aso, the Cisco ASA security applian Ikimedia with or without Network Address Translation (NAT). Many security appli nnot support multimedia with NAT limit ‘multimedia usage to only registered users or require exposure of inside IP addresses to the Internet. Lack of support for multimedia with NAT often forces multimedia vendors to join in proprictary alliances with security appliance vendors to accomplish compatibility for their applications. ‘A12 — Secunng Networks with Cisco ASA Advanced (SNAA) v1.0 '© 2008 Cisco Systems, ncApplication Inspection and Control for Voice and Video Protocol | SIP, Scop, wacP, H.323 vi-va Support | RIPRTCP, GTP, CTIOBE, RTSP. Ee Dynamically open and close pors for foe ‘gateways, endpoints and applications; NAT ‘and PAT support for SIP, SCOP, H 323 Protocol conformance and compliance; inspection for ‘malformed packets, RTP media, signaling, mescages in sgnaling Rate it against DoS attacks Threat Prevention Fitter on whitest, blacklist, caer, called Network | party domains, services (IM). Ensure only Policy registered phones are allowed to place cals Voice and Video| Inspection of encrypted signaling whe maintaining ‘Confdentaity | confidentiality ofencrypted phone cals, Many multifunetional security devices are strong in one area and weak in the others, which can require you to give up certain security features. With the Cisco ASA security appliance, this is not necessary. The security appliance is built from the best of Cisco security technologies, all of which are built on a foundation of network intelligence. As a result, the Cisco ASA secu appliance is network aware, and thus will not impair network traffic and application VoIP or virtualized networks The Cisco ASA security appliance provides inspections for the following multimedia applications, Real Time Streaming Protocol (RTSP) = 323 . = SCCP (Skinny) . ia Gateway Control Protocol (MGCP) = Computer Telephony Interface Quick Buffer Encoding (CTIQBE) You can configure advanced protocol inspection for the following multimedia applications. The inspection engines for these applications enable you to control additional parameters when you apply the inspection to the traffic: = RTSP = H323 = SIP = SCCP (Skinny) = MGCP '© 2008 Cisco Systems, Inc ‘Handing Mulimedi Protocols ATSRTSP Inspection This topic describes RTSP inspection and explains how to configure it Real Time Streaming Protocol * RTSP uses one TCP and two» RTSP-TCP-only mode does UDP channels. not require special handling by the Cisco ASA securi * Transport options y y ae einer appliance. oe Supported applications: oa Cisco IP/TV Me mame ~ Apple QuickTime 4 —RTCP op eet RealNetworks: a ss * RealAudio + RealPlayer » RealServer RTSP is a real-time audio and video delivery control protocol used by many popular multimedia applications. It uses one TCP channel and multiple UDP channels. The TCP channel is the control channel and is used to negotiate the UDP delivery channels depending on the transport mode, RTP, or Session Description Protocol (SDP) that is configured on the client. RTSP applications use the well-known port 554, usually TCP, rarely UDP. Cisco ASA security appliances support TCP only The first UDP channel is the data connection; it can use one of the following transport modes: = RTP = RealNetworks Data Transport (RDT) protocol The second UDP channel is di modes: = RTCP = UDP resend connection feedback channel; it can use one of the following, RTSP supports a TCP-only mode. This mode contains only one TCP connection, which is used as the control and data channels. Because this mode contains only one constant standard TCP connection, no special handling is required by the security appliance. ‘ALA Securing Networks with Gisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, nc‘The following are RTSP applications that Cisco ASA security appliances support: © Cisco IP/TV = Apple QuickTi = RealNetworks 4 — RealAudio — RealPlayer — — RealServer Note RealNetworks ROT multicast is not supported. RTSP Inspection Clert GE = Server - es ~ By default, the Cisco ASA security appliance inspects RTSP connections. * RTSP dynamically opens UDP connections as required. + If disabled ~ UDP transport modes are disallowed ‘TCP transport modes are allowed, (TCP connection rules apply ) By default, the Cisco ASA security appliance inspects port $54 for RTSP connections. If you have devices in the network using ports other than port 554 for RSP, you need to identify these other traffic flows with their different RTSP port numbers. RTSP inspection causes the security appliance to create dynamic openings for UDP channels for RTSP traffic, IF RTSP inspection is not enabled, neither outbound nor inbound RTSP will work properly on that port. '© 2008 Cisco Systems, Ine Handling Mutumedia Protocols AI-5Configuring Advanced RTSP Inspection Configuration —». objects ——+| Inspect Maps You can configure Layer 7 policy maps for RTSP from the RTSP panel in Cisco Adaptive Security Device Manager (ASDM). To access this panel, click Configuration in the Cisco ASDM tool bat, expand the Objects menu, expand the Inspect Maps menu, and click RTSP. After configuring the Layer 7 RTSP map, ereate a service policy rule to apply it to a Layer 3/4 policy map, and activate it. ‘AVS Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IncStandard RTP Mode SS Clen in standard RTP mode, RTP uses: $ aoe ~ Coie comecion (CP) RTP dala (eplex UDP) RCP repos (ule UDP) Far cutbound eonaecton the Cisco A&A secioty space ooare found pos oe RTP dl ned cP eps For bund connector, fa ACL sate sey oppnce heen tandarg RTP modes lows outbound yale aed 90 ‘special handling is required. ‘Hf outbound traffic is not allowed, ct Mt Sprecutboun pots fr TE j vor fir Oa | monte [ [ier rrr] In standard RTP mode, the following three channels are used by RTSP: © TCP control channel: Standard TCP connection that is initiated from the client to the = RTP data channel: Simplex (unidirectional) UDP session for media delivery that is usit the RTP packet format from the server to the client. The client port is always an ever numbered port, = RICP reports: Duplex (bidirectional) UDP session that is used to provide synchronization information to the elient and packet loss information to the server. The RTCP port is always the next consecutive port from the RTP data port. For standard RTP mode RTSP traffic, the Cisco ASA security appliance behaves in the following manner: = Outbound connections: After the client and the server negotiate the transport mode and the ports to use for the sessions, the security appliance creates temporary inbound dynamic ‘openings for the RTP data channel and RCP report channel from the server. = Inbound connections: — [fan access contro! list (ACL) exists that allows inbound connections to an RTSP. server, and if all outbound UDP traffic is implicitly allowed, no special handling is required because the server initiates the data and report channels from the inside. — Ian ACL exists that allows inbound connections to an RTSP server, and if all P traffic is nos implicitly allowed, the security appliance creates temporary dynamic openings for the data and report channels from the server. Noto The Cisco ASA security appliance also can inspect Cisco voice and video communications ‘encrypled with Secure RTP (SRTP) and Transport Layer Security (TLS). This maintains integnty and confidentiality of a call while enforcing a security policy through advanced SIP ‘and SCCP firewall services 1© 2008 Cisco Systems, ne Handling Mutimedia Protocols AN-7RealNetworks RDT Mode Sever <= Client * peas ROT mode, RTSP wi a+ ‘Cont connacon (1) UO? data iter UDP) OP lesndimsex UDP) For outbound cannecns, he Caco ASA ‘Scary spplarce anche Reabines St mode as taiows Inbound pr for US aaa ~ Mound att atone. oper Client ‘abound prt UP ata an an oil Stound poo UP reser * For nbourd connectors, an ACL ents. te Scr acplance hangs aanietaoes 20 SY mode as oiows 1oP So Inbound pr or U3 resend ‘2 ntbound perfor UDP eat ani on ‘ound pr or USP send = UDP data channel: Simplex (unidirectional) UDP session for media delivery that is using the standard UDP packet format fiom the server tothe elient © UDP resend: Simplex (unidirectional) UDP session used for the client to request th server resend lost data packets For RealNetworks RDT mode RTSP traffic, the Cisco ASA security appliance behaves in the following manner: = Outbound connections: — Ifoutbound UDP traffic is implicitly allowed, and after the client and the server \egotiate the transport mode and the ports to use for the session, the security appliance creates temporary inbound openings for the UDP data channel from the server. — Ifoutbound UDP traffic is nor implicitly allowed, and after the client and the server negotiate the transport mode and the ports to use for the session, the security appliance creates a temporary inbound opening for the UDP data channel from the server and a temporary outbound opening for the UDP resend channel from the client = Inbound connections: — If.an ACL exists that allows inbound connections to an RTSP server, and iffall outbound UDP traffic is implicitly allowed, the security appliance creates a temporary inbound opening for the UDP resend from the client — fan ACL exists that allows inbound connections to an RTSP se ‘outbound TCP traffic is nor implicitly allowed, the security app temporary openings for the UDP data and UDP resend channels fi client, respectively. er, and if all ‘A1-8 Securing Networks with Gisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neH.323 Inspection This topic describes H.323 inspection and explains how to configure it H.323 Overview * Uses signaling channel (H 22510 831) * Negotiates endpoint capabilties (H.245) * Opens dynamic media sessions (RTPIRTCP) 11,323 is more complicated than other traditional protocols because it uses two TCP connections and four to six UDP sessions for a single “call.” (Only one of the TCP connections goes to a well-known port; all of the other ports are negotiated and are temporary.) Furthermore, the content of the streams is far more difficult for security appliances to understand because H.323 encodes packets using Abstract Syntax Notation One (ASN.1). The call-signaling function uses H.225 call signaling to establish a connection between two H,323 endpoints. In systems that do not have a gatekeeper, the call-signaling channel is opened between the two endpoints that are involved in the call. In systems that contain a gatekeeper, the call-signaling channel is opened between the endpoints and the gatekeeper or between the ‘endpoints themselves as chosen by the gatekeeper. The Cisco ASA secur dynamically allocates the H.245 connection based on the inspection of the H.225 messages. © 2008 Cisco Systeme, Ine. ‘Handing Multimedia Protocols 1-9H.323 Inspection Gatekeeper E Client én “3-4 [_ Defines ports for H 323 connections (default = 1720) Dynamically alocates the negotiated H.245, RTP, and RTCP. connections Performs NAT on the necessary embeded IP version 4 addresses inthe H 225 and H 245 messages, disabled, 323 applications are disallowed 1.323 inspection provides support for H.323-compliant applications such as Cisco Unified ‘Communications Manager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the ITU for multimedia conferences over LANs. The Cisco ASA security appliance supports 11.323 version | through H.323 version 4 messages. With H.323 inspection enabled, the security appliance supports multiple calls on the same call- signaling channel, a feature introduced with H.323 version 3. This feature reduces call-setup time and reduces the use of ports on the security appliance. The two major functions of H.323 inspection are as follows: = Perform NAT on the necessary embedded IP version 4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in packed encoding rule (PER) format, the security appliance uses an ASN.1 decoder to decode the H.323 messag = Dynamically allocate the negotiated H.245, RTP, and RTCP connections. The Cisco ASA security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages. The H.245 control function uses the H.245 control channel to carry end-to-end control messages governing operations of the H.323 entity, including capabilities exchange, opening and closing logical channels that carry the auclio-video and data information, mode preferences, and so on. The endpoint establishes one H.245 control channel for each call. The endpoints can establish multiple multimedia logical channels using RTP and RCP. Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP media streams. The H.323 inspection application inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange RTP uses the negotiated port number, and RTCP uses the next-higher port number. [AIO Securing Networks wth Gisco ASA Advanced (SNA) v1 0 © 2008 Cisco Systems, incThe H.323 control channel handles H.225, H.245, and H.323. H.323 inspe following ports = 7K Gatekeeper discov UDP port = 1719: Regulation, Admission, and Status (RAS) UDP port = 1720: TCP control port By default, the Cisco ASA security appliance inspects port 1720 connections for H.323 waflic IF there are network devices using ports other than the default ports, you need to use a class ‘map to identify these other traffic flows with their different port numbers, The following are some of the known issues and limitations of H.323 application inspection: |= Static Port Address Translation (PAT) may not properly translate IP addresses embedded in optional fields within 11.323 messages. If you experience this kind of problem, do not use static PAT with H.323 ‘= 1.323 application inspection is not supported with NAT between same-security-level interfaces, = When a Microsoft Windows NetMeeting client registers with an 11.323 gatekeeper and tries to call an H.323 gateway that also is registered with the H.323 gatekeeper, the connection is established, but no voice is heard in either direction. This problem is unrelated to the security appliance ‘= Ifyou configure a network static address where the network static address is the same as a third-party netmask and address, any outbound H.323 connection fails. © 2008 Cisco Systems, ne Hancling Mutmedia Protocols AT-11Advanced H.323 Inspection Gatekeeper ~ Blocks rue cles by firing on aff called and calling phone numbers * Restricts call duration = Tracks protocol state » Blocks H.323 services such as chat and whiteboard while allowing normal audio and video traffic * Prevents RAS and H.225 packets from arriving out of state = Drops video or audio * Controls H.245 tunneling * Allows calls to be set up from outside endpoints to inside gateways service by an HSI In Layer 7 class maps and policy maps for H.323, you can configure the Cisco ASA security appliance to perform the following actions: = Block rogue callers by filtering on called and calling phone numbers: You can use regular expressions to define phone numbers. You can then use the regular expressions in policy maps to prevent calls to and from the phone numbers you defined = Restrict call duration: You can specify a call duration for H.323 that H.323 calls never time out, alls, or you can specify = Track protocol state: You can configure the see 323. = Block specific H.323 services while allowing all other H.323 traffie: You can restrict the H.323 services that can be used on your network. For example, you can block chat and whiteboard services by dropping certain control messages but sill allow normal audio and Video traffic to traverse the security appliance. ty appliance to check state transition on Prevent RAS and H.225 packets from arriving out of state: You can enable strong state checking on RAS and 11.225 call setup, = Drop video or audio traffie: Y: Hlow oF disallow video or audio trafTie through the security appliance. = Block H.245 tunneling: You can configure the security appliance to drop the connection and generate a log when it detects H.245 tunneling. = Allow calls to be set up from outside endpoints to inside gateways service by an HSI: The Cisco H.323 Signaling Interface (HSI) interoperates with the Cisco PSTN Gateway 2200 Softswitch to enable calls between the public switched telephone network (PSTN) and the H.323 network. HSI provides translation of signaling protocols for establishing, controlling, and releasing calls AAt-12 Securing Networks with Cigeo ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems. IncBy using the Firewall > Objects menus, you can configure both Layer 7 class maps and Layer 7 policy maps for H.323. In either a Layer 7 class map or a Layer 7 policy map, you can configure match conditions for called parties, calling parties, or media types. ‘The following example uses the media type criterion to block chat and whiteboard services by dropping the 7.120 control messages but allows normal audio and video traffic to pass through the Cisco ASA security appliance: asal(config)# policy-map type inspect h323 MY H323_MAP asal(config-pmap)# match media-type data asal (config-pmap-c) # drop agai (config-pmap-c) Hexit asal (cont ig-pmap) Hexit asai(config)# policy-map global-policy asal(config-pmap)# class inspection default asal(config-pmap-c)# inspect h323 ras MY_H323_MAP asa (conf ig-pmap-c)# inspect h323 225 MY H323_MAP "© 2008 Cisco Systeme, ne Handling Muitenedia Protocols I-13SIP Inspection ‘This topic deseribes SIP inspection and explains how to configure it SIP Inspection + Enables SIP + Default port = 5060 + Enables Cisco ASA security appliance to support any SIP VolP gateways and VoIP promos ~ Signaling mechanism (SIP) ‘Muitimedia (RTP, RTCP) SIP is an application layer control protocol used to set up and tear down multimedia sessions. These multimedia sessions include Internet telephony and similar applications. SIP uses RTP for media transport and RTCP for providing. a quality of service (QoS) feedback loop. Usi SIP, your Cisco ASA security appliance can support any SIP VoIP gateways and VoIP proxy To support SIP calls through the security appliance, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected; although the signaling is sent over a well-known destination port (UDP or TCP 5060), the ‘media streams are dynamically allocated. SIP is a text-based protocol and contains IP addresses, throughout the text. With SIP inspection enabled, the security appliance inspects the packets. and both NAT and PAT are supported By default, the Cisco ASA security appliance inspects port 5060 connections for SIP traffic. If there are network devices using ports other than the default ports, you need to use a class map to identify these other traffic flows with their different port numbers. The show conn state sip command can be used to display all active SIP connections. Note The Cisco ASA security appliance also supports SIP proxies. Ava ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, IncAdvanced SIP Inspection Rate-limit SIP messages Block non-RFC-compliant SIP packets Prevent blacklisted users from using IM over SIP Prevent access to illegal or dangerous URIs Prevent exploitation of SIP endpoints or servers Disable IM over SIP Block unrecognized SIP messages Block SIP packets arriving out of state Prevent non-RTP traffic from traversing the media pinholes Block rogue callers Limit SIP traffic to specific domains Restrict the content length and type of SIP messages Advanced SIP inspection enables you to configure the attacks and restrict or deny certain applications. The of this feature: Rate-limit SIP messages: For example, you can rate-limit invite messages to 100 ‘messages per second. If the number of invite messages exceeds 100 messages per second ‘on an interface, the connection will be dropped. This feature can be used to protect internal servers and endpoints from being flooded by invite messag of service (DoS) attack. isco ASA security appliance to prevent jure outlines the following capabilities and thereby causing a denial | Block non-RFC-compliant SIP packets: The SIP RFC compliance check is only for the syntax rules in RFC 3261. Therefore, if packet conforms to RFC 2543 but not 10 REC 3261, validation check will fai = Prevent blacklisted users from using instant messaging (IM) over SIP. Prevent access to illegal or dangerous Uniform Resource Identifiers (URIs): The alert- info and call-info fields in a SIP message can contain URIs, and the use of these header fields can pose a security risk. Ifa called party fetches the URIS provided by a malicious, caller, the called party may be at risk for displaying inappropriate, dangerous or illegal content, The alert-info and call-info fields are optional, and their use is discouraged by the RFC. You can use the Mask action to mask the information in them. = Prevent exploitation of SIP endpoints or servers: The Server and User-Agent header fields contain the version of the server. Revealing the software version can make the server vulnerable to any security attacks that exploit security holes in that software version. These fields are optional, and their use is discouraged by the RFC. You can mask the Server and User-Agent fields, & Disable 1 ‘ou can disable IM over SIP. = Block unrecognized SIP port 5060, essages: You can block non-SIP traffic on the well-known SIP (© 2008 Cisco Systems, Inc Handling Multimedia Protocols 1-15Block SIP packets arri € of state: Every SIP packet has to go through a state ‘machine. You can configure the Cisco ASA security appliance to drop any SIP packet that arrives out of state based on RFC 3261. = Prevent non-RTP traffic from traversing the me holes: You can configure the security appliance to drop any RTP packet traversing the media pinholes that does not conform to the RTP protocol. You also can configure the security appliance to require that the payload is audio or video based on the signaling exchange. = Block rogue callers: For example, you can configure the security app! log all SIP invite packets from specific SIP endpoints. ince to block and = Limit SIP traffic to specific domains: For example, you could limit invite packets with example.com in their To header field to 500 packets per second, The Called Party match criterion is used to identify the called party as specified by the value in the To header field = Restrict the content length and type of SIP messages: For example, you can ensure that only SIP packets of Content Type “application/sdp” with a content length less than 500 are allowed through the security appliance. With advanced SIP inspection, you also can configure the security appliance to do the following Drop SIP packets with invalid max-forwards fields: The max-forwards field in the S ket indicates the maximum number of hops the packet can take before it reaches its destination. The field value must not be zero when the security appliance receives the packet. You can configure the security appliance to elose the connection and log an error if the max-forwards field is zero. = Provide privacy to end customers: You can configure the security appliance to enable IP address privacy. This means that even if two endpoints or servers are on the inside network, their real addresses are hidden from each other. | Block SIP traffic from rogue proxy servers: You can configure the secur drop and log all SIP packets that are sent through two SIP servers. ty appliance to = Allow only administrators to perform third-party registrations: With SIP. itis possible for a user to register another user with the registrar server. You can determine if this has happened by checking the From field header value and the To field header value in the REGISTER message, Ifthe values are different, a user has attempted third-party registration. = Prevent buffer overflow attacks: For example, you can configure the security appliance to drop all SIP register packets that contain a SIP URI or a non-SIP URI of a length greater than S00 in the From header, To header, or Contaet header. ‘Securing Networks with Cisco ASA Advanced (SNAA) vt.0 '© 2008 Cisco Systems, IncBy using the Firewall > Objects menus in Cisco ASDM, you can configure both Layer 7 elass ‘maps and Layer 7 policy maps for SIP. In either a Layer 7 class map or a Layer 7 policy map, you can configure match conditions for the following eriteria Called party Calling party Content length Content type IM subscriber Message path Request method _ rd-party registration = URE length © 2008 Cisco Systems, Inc ja Protocols AN-17The following example uses the request method criterion to limit INVITE messages 10 50 ‘messages per second. If the number of INVITE messages exceeds 50 messages per second on an interface, the connection will be dropped. This feature can be used to protect internal servers and endpoints from being flooded by INVITE messages that could cause a DoS attack agai (config) policy: p type inspect sip MY _SIP_MAP asai (config-pmap) #parameters asai(config-pmap-p) # match request-method invite agai (config-pmap-c]# rate-limit 50 asal (config) #policy-map global_policy asal (config-pmap) #clase inspection default asal (config-pmap-c)#inepect sip MY_SIP_MAP ‘(A118 Secuting Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, ncSCCP Inspection This topic describes SCP inspection and explains how to config Cisco Untied Communications Manager Supports SCCP used by Cisco IP phones Enables SCCP signaling and media packets to traverse the Cisco ASA security appliance (default port 2000) Dynamically opens negotiated ports for media sessions. Can coexist in an H.323 environment In Cisco PIX Firewall Software Version 6.0 and higher, the security appliance application handling supports SCP, used by Cisco IP phones for VoIP call signaling. SCCP defines the set of messages that is needed for a Cisco IP phone to communicate with the Cisco Unified ‘Communications Manager for call setup. Cisco IP phones use a randomly selected TCP port to send and receive SCCP messages. Cisco Unified Communications Manager listens for SCCP messayes at TCP port 2000. SCCP uses RTP and RTCP for media transmissions. The media ports are randomly selected by the Cisco IP phones. SCCP inspection enables the Cisco ASA security appliance to dynamically open negotiated ports for media sessions. An application layer ensures that all SCP signaling and media packets can traverse the security appliance and interoperate with H.323 terminals. SCCP support allows a Cisco IP phone and Cisco Unified Communications Manager to be placed on separate sides of the security appliance. SCCP inspection is enabled by default to listen for SCCP messages on port 2000. If there are network devices using ports other than the default ports, you need to identify these other traffic flows with their different port numbers as specified in the first topic of this lesson. (© 2008 Cisco Systems, Ine Handing Mutimedia Protocole I-19Advanced Skinny Inspection Cisco United Communications Manager = Enforces registration to prevent rogue phone calls ™ Specifies the maximum length of the SCCP prefix in Skinny messages = Restricts services on endpoints, = Prohibits unrecognized Skinny messages * Improves connection usage efficiency = Prevents potential misuse of idle media connections nced Skinny inspection enables the Cisco ASA security appliance to do the following: ‘= Enforce registration to prevent rogue phone calls, = Prevent buffer overflow attacks by sett Skinny messages, 1g the maximum length of the SCCP prefix in = Restrict services on endpoints. The security appliance can prohibit certain features and functionalities on endpoints by dropping messages that are related to those features and functionalities. 4 Prohibit unrecognized Skinny messages. Using the Message ID criterion to set a maximum Skinny message value can block undefined or unrecognized Skinny messages. For example, if Skinny version x defines messages up to 0x200, you can enter the command message-id max 0x200 to allow these messages. Message IDs greater than 0x200 will be dropped = Improve connection usage efficiency. By default, idle TCP Skinny sigs time out after one hour. You can configure these connections to tin efficient connection usage. ling connections ‘out sooner for more = Prevent potential misuse of idle media connections. By default, media connections from Skinny audio and video calls time out in five minutes. To use these connections more efficiently and prevent potential misuse, you ean configure them to time out sooner ‘A1-20 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 © 2008 Cisco Systems, neConfiguring Advanced Skinny inspection ‘SGP (Skinny) By using the Firewall > Objects menus in Cisco ASDM, you can configure Layer 7 poli ‘maps for Skinny. In a Layer 7 policy map, you can configure match condi Message ID field in Skinny messages. ns for the Station The following example uses the message ID criterion to prevent keypad messages from being sent from an endpoint. When applied to a Layer 3/4 policy map and aetivated, this, configuration essentially prevents users from dialing from the phone using a keypad and prevents the use of speed dial. The 0x03 parameter specifies the keypad message, and 0x04 specifies the speed dial message. asal (config)#policy-map type inspect skinny MY_SKINNY MAP sai (config-pmap)#match message-id range 0x03 0x04 asai (config-pmap-c) Harep leg (© 2008 Cisco Systems, Inc. Hancling Multimedia Protocols 1-21CTIQBE Inspection This topic describes CTIQBE inspection and explains how to configure it CTIQBE Inspection Cisco Untied Communications Manager ‘Supports CTIOBE protocol used by Cisco IP SoftPhones for desktop or laptop PC applications, such as collaboration Enables signaling and media packets to traverse the Cisco ASA security appliance (default port 2748) Dynamically opens negotiated ports for media sessions ‘Support disabled by defauit The Telephony Application Programmin -¢ (TAPI) and Cisco Unified Communications, Manager Java TAPI (ITAPI) are used by many Cisco VoIP applications. Cisco PIX Firewall Sofiware Version 6.3 introduced support for a specific protocol, CTIQBE, which is used by the Cisco TAPI service provider to communicate with Cisco Unified Communications Manager. Support for this protocol is disabled by default. By default, the Cisco ASA security appliance inspects port 2748 connections for CTIQBE traffic, If there are network devices using ports other than the default ports, you need to identify these other traffic flows with their different port numbers, Av22 ‘Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Giseo Systems, IncCisco Unies Communications Manager Supports NAT, PAT, and bidirectional NAT, this enables Cisco IP SoftPhone and other Cisco TAPI and JTAPI applications to work ‘successfully with Cisco Unified Communications Manager for call ‘setup across the security appliance, TAPI and JTAPI are used by many Cisco VoIP applications, CTIQBE protocol inspection supports NAT, PAT, and bidirectional NAT. This enables Ciseo IP SoftPhone and other Cisco TAPI and JTAPI applications to work successfully with Cisco Unified Communications Manager for call setup across the security appliance. TAPL and JTAPL are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco Unified Communications Manager. (© 2008 Cisco Systems, Inc Handling Multimedia Protocole A1-23MGCP Inspection This topic describes MGCP inspection and exp! how to configure it. MGCP Inspection Call Agent Media Gateway <=> Pfioors 192.168.1198 |g mi $ 10017 oa ieee | L ag, + MGCP inspection inspects messages passing between call agents and media gateways. Port 2427 (port on which gateway receives commands) Port 2727 (port on which call agent receives commands) * MGCP inspection dynamically opens negotiated ports for media * With mutiple call agents configured, connections are opened for all of the call agents configured for a particular MGCP gateway group. Cisco PIX Firewall Software Version 6.3 introduced support for application inspection of MGCP. MGCP is used for controlling media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and the data packets carried over the Internet or over other packet networks. The followin; sxamples of media gateways: = Trunking gateway: Provides an interface between the telephone network and a VoIP. network, Such gateways typically manage a large number of digital circuits. = Residential gateway: Provides a traditional analog (RJ-11) interface to a VolP network Examples of residential gateways include cable modems and cable set-top boxes, DSL devices, and broadband wireless devices. ® Business gateway: Provides a traditional digital PBX interface or an integrated soft PBX interface to a VoIP network. MGCP messages are transmitted over UDP. To use MGCP, you typically need to configure at least two ports—one on whieh the gateway receives commands and one for the port on which the call agent receives commands. Normally call agent will send commands to port 2427, and a gateway will send commands to port 2727. Audio packets are transmitted over an IP network using RTP. MGCP inspection enables the Cisco ASA security appliance to securely open negotiated UDP ports for legitimate media connections through the security appliance. ‘Av2 Securing Networks with Cisco ASA Advanced (SNAA) vi 0| {© 2008 Cisco Systems. IneAdvanced MGCP Inspection Call Agent ae cay ee bi cas ome vere * Specifies the maximum number of commands to queue » Configures groups of gateways and calll agents MGCP messages are transmitted over UDP. When an MGCP gateway sends a command to the call agent, it might not receive a response from the same call agent that the command was sent to. Multiple call agents can be configured. If multiple call agents are configured, connections are opened for all the call agents configured for a particular MGCP gateway (group id). You can use a Layer 7 MGCP policy map to configure the gateway, call agents, and the size of the command queue. The Command Queue parameter allows you to configure the maximum ‘number of commands to queue. Valid values are | to 2147483647. (© 2008 Cisco Systems, Inc. Handling Multimedia Protocols 1-25Configuring Advanced MGCP inspection By using the Firewall > Objects menus in Cisco ASDM, you can configure Layer 7 policy maps for MGCP. In @ Layer 7 policy map, you can specify a group of call agents that can manage one or more gateways. Call agents with the same group ID belong to the same group. A call agent can belong to more than one group. By associating a call agent group ID with a gateway, you can specify which group of call agents can manage the gateway. A gateway can only belong to one group. In the following example, a media gateway a I agents are specified by configuri Layer 7 MGCP policy map. Call agents 10,0.1.5 and 10.0.1.7 are assigned to group 101 Gateway 192.168.1.115 also is assigned to group 101; therefore, call agents 10.0.1.5 and 10.0.1.7 can manage gateway 192.168.1115. asal (config) #policy-map type inspect mgcp NY_NGCP_MAP asal (conf ig-pmap) #parameters agai (config-pmap-p) #call-agent 10.0.1. 101 asal (conf ig-pmap-p) #call-agent 10.0.1.7 101 asal (conf ig-pmap-p) #gateway 192.168.1.115 101 ‘A1-26 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, neVerifying Multimedia Support This topic explains how to verify your multimedia inspection con Verifying and Monitoring H.323 Inspection * Display information for H.226 sessions show h225 * Troubleshoot H.323 inspection engine issues show h225 debug h323 h225 event debug h323 h245 event ‘show local-host * Display information for H.245 sessions ~ show h245, ‘The show h225 command displays information for H.225 sessions established across the Cisco ASA security appliance. Along with the debug h323 h22S event, debug h323 h245 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues. Before entering the show h225, show h245, or show h323-ras commands, itis recommended that you configure the pager command. If there are many session records and the pager ‘command is not configured, it can take a while for the show command output to reach its end Fthere is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values you set. Ifthey are not, there is a problem that needs to be investigated, The following is sample output from the show h225 command hostnames show h225 Total H.323 Calls: 1 1 Concurrent Call(s) for Local: 10.130.56.3/1040 Foreign: 172.30.254.203/1720 2. cRV 9861 Local: 10.130.56.3/1040 Foreign: 172.30.254.203/1720 © Concurrent Calls) for Local: 10.130.56.4/1050 Foreign; 172.30.254.205/1720 © 2008 Cisco Systems, ne Handling Muitimedia Protocols 1-27This output indicates that there is currently one active H.323 call going through the Cisco ASA. security appliance between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is one concurrent call between them, with a call reference value (CRY) of 9861 for that call, For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are no concurrent, calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, atthe time of the show h225 command, the call has already ended, but the H.225 session has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection opened between them because they set “maintainConnection” to TRUE, so the session is kept open until they set it to FALSE again, or Until the session times out based on the H.225 timeout value in your configuration. AV28 “Securing Networks with Ciaca ASA Advanced (SNAA) v1.0 '© 2008 Cisco Systems, neVerifying and Monitoring H.323 Inspection (Cont.) + Troubleshoot H.323 inspection engine issues debug h323 h245 event ~ debug h323 h225 event ~ show local-host show h24s * Display information for H.323 RAS sessions show h323-ras * Troubleshoot H.323 RAS inspection engine issues debug h323 ras event ‘show local-host The show h245 command displays information for H1.245 sessions established across the Cisco ASA security appliance by endpoints using slowstart. Slowstart is when the two endpoints of a call open another TCP control channel for 1.245. (Faststart is where the H.245 messages are exchanged as part of the H.225 messages on the H.225 control channel.) Along with the debug 4323 h245 event, debug h323 h225 event, and show local-host commands. the show h245 command is used for troubleshooting H.323 inspection engine issues. The following is sample output from the show h245 command: hostname show h245 Total: 1 LOCAL reKr FOREIGN ‘Text 1 10.230.56.3/1041 0 ~—-172.30.254.203/1248 0 MEDIA: LCN 258 Foreign 172.30.254.203 RTP 49608 RTCP 49609 Local 10.130.56.3 RTP 49608 RTCP 49609 MEDIA: LCN 259 Foreign 172.30.254.203 RTP 49606 RTCP 49607 Local 10.130.56.3 RTP 49606 RTCP 49607 There is currently one H.245 control session active across the Cisco ASA security appli The local endpoint is 10.130.56.3, and the next packet from this endpoint is expected to have a transport protocol data unit packet (TPKT) header because the TPKT value is 0, The TKTP. header is a 4-byte header preceding each H.225 and H.245 message. It gives the length of message, including the 4-byte header, The foreign host endpoint is 172.30.254.203, and th hhext packet from this endpoint is expected to have a TPKT header because the TPKT value is 0. The media negotiated between these endpoints have a logical channel number (LCN) of 258. with a foreign RTP IP address/port pair of 172.30.254.203/49608 and an RTCP IP address/port of 172,30,254.203/49609, and with a local RTP IP address/port pair of 10.130.56.3/49608 and an RTCP port of 49609. (© 2008 Cisco Systems, Inc Handing Muitmesia Protocols 1-29RIP IP address/port pair of 172.30.254.203/49606 and, an RTCP IP address/port pair of 172.30.254.203/49607, and a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607, The show h323-ras command displays information for H.323 RAS sessions established across the Cisco ASA security appliance between a gatekeeper and its H.323 endpoint. Along with the debug h323 ras event and show localhost commands, this command is used for troubleshooting H.323 RAS inspection engine issues. ‘The show h323-ras command displays connection information for troubleshooting H.323 inspection engine issues, The following is sample output from the show h323-ras command: hostname# show h323-ras Total: 1 GK caller 172,30.254.214 10.130.56.14 ‘This output shows that there is one active registrati and its client 10.130.56.14, between the gatekeeper 172,30.254.214 Ao ‘Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, ncVerifying and Monitoring SiP inspection * Troubleshoot SIP inspection engine issues ~ show sip debug sip ‘show local-host * Display the SIP timeout value show timeout sip ‘The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspeet protocol sip udp 5060 command. The show sip command displays information for SIP sessions established across the Cisco ASA security appliance. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues. The show timeout sip command displays the timeout value of the designated protocol. Note Itis recommended that you configure the pager command before entering the show sip ‘Command. If there are a lot of SIP session records, and the pager command is not Configured, i takes a while forthe show sip command output to reach its end ‘The following is sample output from the show si ip command hostname# show sip Total: 2 call-id ¢3943000-960ca-2e43-228f010.130.56.44 state call init, idle 0:00:01 eall-id ©3943000-860ca-7e1f-11£7010.130.56.45 state Active, idle 0:00:06 This sample shows two active SIP sessions on the Cisco ASA sek the Total field). Each call-id represents a call rity appliance (as shown in 5 2008 Cisco Systems, ne Handing Mulimedia Protocols 1-31The first session, with the eall-id c3943000-960ca-2e43-228f@ [0.130.56.44, is in the state Call Init, which means the session is still in call setup, Call setup is not complete until a final response to the call has been received. For instance, the caller has already sent the INVITE, may have received a 100 Response, but has not yet seen the 200 OK, so the call setup is not complete yet. Any non-Ixx response message is considered a final response. This session has been idle for 1 second. nd The second session is in the state Active, in which call setup is complete and the endpoints are ing media, This session has been idle for 6 seconds. [A132 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 '© 2008 cisco Systems, neVerifying and Monitoring SCCP Inspection * Troubleshoot SCCP (Skinny) inspection engine issues show skinny debug skinny ‘The show skinny and debug skinny commands assist in troubleshooting SCCP (Skinny) inspection engine issues. The following is sample output from the show skinny command under the following conditions. There are two active Skinny sessions set up across the Cisco ASA security appliance. The first one is established between an internal Cisco IP phione at local address 10.0.0.11 and an external Cisco Unified Communications Manager at 172,18,1.33. TCP port 2000 is the Cisco Unified Communications Manager. The second one is established between another internal Cisco IP phone at local address 10.0.0.22 and the same Cisco Unified ‘Communications Manager. hostname show skinny LOCAL FOREIGN STATE 11/2238 a 10.0.0, 18.1.33/2000 a MEDIA 1010.0.11/22948 18.1. 22/20798 2 10.0.0.22/52232 :18.1.33/2000 2 MEDIA 10:0.0.22/20798 181111122948 The output indicates that a call has been established between two internal Cisco IP phones. The RIP listening ports of the first and second phones are UDP 22948 and 20798, respectively The following is sample output from the show xlate de connections command for these Skinny hostname show xlate debug. 2 in use, 2 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, r - portmap, 5 - static NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00 NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00 {© 2008 Cisco Systems, Inc Handing Mutimedia Protocols 1-33Verifying and Monitoring CTIQBE Inspection * Display debug messages for CTIQBE application inspection ~ debug ctiqbe * Display information regarding CTIQBE sessions show ctiqbe = Display the status of CTIQBE connections show conn state ctiqbe ~ show conn state ctiqbe detail You can use the debug etiqbe command and several show commands to assist you in troubleshooting CTIQBE issues. The debug etiqhe command shows debu CTIQBE application inspection. messages for The show etiqhe command displays information regarding the CTIQBE sessions established across the Cisco ASA security appliance. It shows information about the media connections allocated by the CTIQBE inspection engine. The following is sample output from the show etiqbe command under the following conditions. There is only one active CTIQBE session set up across the security appliance, It is, established between an internal computer telephony interface (CTI) device (for example, a Cisco IP SofiPhone) at local address 10.0.0.99 and an external Ciseo Unified Communications Manager at 172.29.1.77, where TCP port 2748 is the Cisco Unified Communications Manager The heartbeat interval for the session is 120 seconds. hostname # show ctigbe Total: 1 LOCAL FOREIGN STATE HEARTBEAT 1 10.0.0.99/1117 172.29.1.77/2748 1 120 RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 - 1029) MEDIA: Device 1D 27 Call ID 0 Foreign 172.29.1.99 (2028 - 1029) Local 172.29.1.88 (26822 - 26823) ‘AL34 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neThe CT! device has already registered with the Cisco Unified Communications Manager, The device internal address and RTP listening port are translated using PAT to 172.29.1,99 UDP port 1028. Its RTCP listening port is translated by PAT to UDP 1029. ‘The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external Cisco Unified Communications Manager and the CTI device address and ports are translated by PAT to that extemal interface. This line does not appear if the Cisco Unified Communications Manager is located on an internal interface, or if the internal CTI device address and ports are translated to the same external interface that is used by the Cisco Unified Communications Manager. The output indicates that a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the Cisco Unified Communications Manager because the security appliance does not maintain a CTIQBE session record associ with the second phone and CTI devie, ed “isco Unified Communications Manager. The active call leg on the ide can be identified with Device 1D 27 and Call ID 0. ‘The following is sample output from the show xlate debug command connections hostname# show xlate debug 3 in use, 3 most used Flags: D- DNS, d- dump, 1 - identity, i - inside, n - no random, r - portmap, 5 - static TeP PAT from inside:10.0.0.99/1117 to outeide:172.29.1.99/1025 flaga ri idle 9:00:22, timeout 0:00:30 UDP PAT from inside:10.0.0.99/16908 to cutside:172.29.1.99/1028 flags ri idie 0:00:00, tameout 0:04:10 UDP PAT from ineide:10.0.0.99/16909 to cuteide:172.29.1.99/1029 flags ri idle 0:00:23, tAmeout 0:04:10 The show conn state ctiqhe command displays the status of CTIQBE connections. In the output, aC” flag denotes the media connections allocated by the CTIQBE inspection en ‘The following is sample output from the show conn state etiqbe command: ine. hostname# show conn state ctigbe 1 in use, 10 most used hostname# show conn state ctigbe detail 1 in use, 10 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIQBE media, D - DNS, 4 - aunp, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SWTP data, m - SIP media, 0 - outbound data, P - inside back connection, @ - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, x ~ inside acknowledged FIN, S - awaiting inside SYN, 8 - awaiting outside SYN, T - STP, t - STP transient, U - up (© 2008 Cisco Systems, nc Handing Multimedia Protocols 1-25Verifying and Monitoring MGCP. Inspection * Display detailed information about MGCP application inspection ~ debug mgcp * List the number of MGCP commands in the command queue show mgcp commands show mgcp commands detail * List the number of existing MGCP sessions ~ show mgcp sessions ~ show mgcp sessions detail You can use the debug mgep command and several show commands to assist you in troubleshooting MGCP issues. The debug mgep command displays detailed information about MGCP application inspection. ‘The show mgep commands command lists the number of MGCP commands in the command id lists the number of existing MGCP sessions. The 1 includes additional information about each command (or session) in the output. The following is sample output from the show mgep commands command: hostname# show mgcp commands 1 in use, 1 most used, 200 maximum allowed CRCX, gateway IP: host-pe-2, transaction ID: 2052, idle 0:00:07 The following is sample output from the show mgep detail command: hostname show mgcp commands detail 1 in use, 1 most used, 200 maximum allowed CRC, idle: 0:00:10 Gateway IP host-pe-2 Transaction 1D 2052 Endpoint name aaln/1 call 1p 9876543210abcder Connection 1D Media 1B 192.168.5.7 Media port 6058 ‘A1-98 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neThe following is sample output from the show mgep sessions command: ‘The following is sample output from the show mgcp sessions det hostnamet show mgep sessions 1 in use, 1 most used Gateway IP host-pe-2, connection ID 6789af54c9, active 0:00:11 hostname show mgep sessions detail 1 in use, 1 most used Session active 0:00:14 Gateway 1P call 1D Connection 1D Endpoint name Media 1cl port Media rmt TP Media rmt port host-pe-2 987654321 0abcdef 6789afS4c9 aaln/1 6165 192.168.5.7 6058 {© 2008 isco Systems, Inc Handing Mutmesta Protocols 1-37Summary This topic summarizes the key points that were discussed in this appendin. Summary * The Cisco ASA security appliance dynamically opens and closes UDP ports for secure multimedia connections. * The security appliance supports multimedia with or without NAT * The security appliance handles such multimedia protocols as RTSP, RTP, SCP, SIP, MGCP, and H.323. ‘A138 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneAppendix 2| Using Cisco ASA Multicast Overview This appent Ibe x explains the multicast capabilities of the Cisco ASA adaptive security appliance. ns with a look at the differences between Internet Group Management Protocol (IGMP) and Product Independent Multicast (PIM) sparse mode. Then it explains how to configure IGMP, PIM, and multicast static routes. Finally, it explains various commands to verify and to aid troubleshooting the multicast configuration of th curity appliance, Objectives This appenk includes these components: = Differences between IGMP and PIM-SM Configure the sec . ty appliance for IGMP using Cisco ASDM = Configure the security appliance for PIM using Cisco ASDM © Appropriate commands to verily and troubleshoot the multicast configuration of the applianceMulticast This topic describes the differences between IGMP and PIM What Is Multicast? ae f—wiis co * Swutcast 57 Chents is a protocol for sending IP datagram packets from one source to interested receivers, * tis different from other one-to-many protocols like broadcast because receivers must have multicast enabled to receive the stream, + An IP datagram is transmitted to a set of hosts identified by a single IP destination address or multicast address. * A reserved black of IP addresses are used for multicast: 224.0.0.0/4 oF 224.0.0.0 to 239.255 255.255, IP multicasting is a bandwidth-conserving technology that reduces traffic by delivering a single stream of information from a single sou applications that take advantage of multicasting include Cisco TelePresence. videoconferencing, corporate communi multaneously e to multiple recipients. Some tions, distance learning, distribution of software, stock quotes, and news feeds. Unlike broadcast, which floods the network for all hosts to receive, hosts that wish to re ive multicasts must enable it by joining a multicast host group, and routers that forward IP multicast datagrams must know which hosts belong to whi IP multicasting is actually the transmission of an IP d am to a “host grou} h group, a set of hosts identified by a single IP destination address. In order for this to work, hosts that wish to receive multicasts must “tune in to the multicast by joining a multicast host group, and routers that forward multicast datagrams must know which hosts belong to which group. Routers discover this information by sending IGMP query messages through their attached loc: members of a multicast group respond to the query by sending IGMP reports noting the networks. Host multicast group to which they belong, If'a host is removed from a multicast group, it sends a leave” message to the multicast router. The transmission of the IP datagram packets is actually sent to a single IP address that is, assigned to a multicast group. This IP address is used by all members of the group to receive the multicast transmission, These destination IP addresses fall with a reserved block of addresses that are only for multicast. This block of reserved addresses is 224.0.0.0/4 or 4.0.0.0 t0 239.255.255.255. 'A22 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 (© 2008 Cisco Systems, neIGMP vs. PIM Mutcast 4 Mest sancast Muticast Rwer Router, N — Ouse eg nie > Muticast [+ —_e= Paseo ays ol aa nul ag S Clients = IGMP is used within the local network to register IP muiticast-enabled hosts into groups so that adjacent routers can better facilitate multicast * PIM is used for passing multicast within routing domains and relies on the IP routing table or multicast routing table to determine the path to take to a multicast-enabled host, + PiM enables the IP multicast traffic to cross a WAN, while IGMP delivers IP multicast traffic to hosts within a LAN. Routers discover which el ents want to join a multicast group by sending IGMP query messages through their attached local networks, Host members of a multicast group respond to the query by sending IGMP reports noting the multicast group to which they belong. Ifa host is removed from a multicast group, it sends a “leave” message to the multicast router. In PIM sparse mode, each data stream goes to a relatively small number of segments in the campus or WAN. Instead of flooding the network to determine the status of multicast members, PIM sparse mode defines a rendezvous point. The rendezvous point keeps track of multicast groups that were established by IGMP. When a user wants to send data, the user first sends to the rendezvous point. When a user wants to receive data, the user registers with the rendezvous point through IGMP. After the data stream begins to flow from sender to rendezvous point to receiver, the routers in the path will optimize the path automatically to remove any unnecessary hops. PIM sparse mode assumes that no hosts want the multicast traffic unless they specifically ask for it. Sparse mode begins with an empty distribution tree and adds branches only as the result of explicit requests to join the distribution, PIM sparse mode is optimized for environments in which there are many multipoint data streams. PIM sparse mode is most useful in the following situations: = When there are few receivers in a group = When the type of traffic is intermittent ast sender and ree PIM and IGMP differ in what they offer for mu ver. PIM is the protocol used to send multicast over a WAN using multicast routing or unicast routing information. Once the multicast traffic reaches a rendezvous point (RP), IGMP-enabled routers send the icnts that have registered to receive it (© 2008 Cisco Systems, ne Using Cisco ASA Mutcast—A23Cisco ASA Multicast Features Muticast vow Serer "Roar Mame oa i-s—_S-9=s + It;can perform IGMP functions, but itis basically a proxy for IGMP receivers to neighboring IGMP-enabled routers. (Diagram Above) OR cere note) ~ It'can perform PIM-SM and bidirectional PIM in which the PIM- receiving interface becomes the rendezvous point. (Diagram Below) ae bee wT ee wmemn eee ‘car In Cisco PIX Firewall Software Version 6.2 and later and Cisco ASA and PIX Security Appliance Software Version 7.0 and later, stub multicast routing (SMR) is supported through static multicast routes, which enables the Cisco ASA security appliance to pass multicast traffic. This feature is necessary when hosts that need to receive multicast transmissions are separated from the multicast router by a security appliance, With SMR, the security appli acts as an IGMP proxy agent. It forwards IGMP messages from hosts to the upstream multicast router, which takes responsibility for forwarding multicast datagrams from one multicast group to all of other networks that have members in the group. The Cisco ASA security appliance can be configured for PIM sparse mode (PIM-SM) or bidirectional PIM, When itis configured for PIM sparse mode, the security appliance will use the underlying unicast routing information, or it will use multicast static routes if defined, to forward the IP datagram packet on through the multicast path, This process is unidirectional with no consideration given to returning client connections. In bidirectional PIM, the secuti appliance participates in building bidirectional paths between both sender and receiver. Thi ‘enables a design that can be used for many-to-many applications within individual PIM domains. Multicast groups in bidirectional mode can scale to an arbitrary number of sources without incurring overhead due to the number of sources. The Cisco ASA security appliance supports both stub multicast routing and PIM mult routing. However, you cannot configure both concurrently on a single security appliance. ‘AZ-4 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncEnabling Muiticast cast can be configured on the Cisco ASA security appliance, it m ‘To enable multicast routing on the security appliance, complete the following steps: Step 1 Step 2 Step 3 Step 4 step 5 step 6 Click Configuration in the Cisco Adaptive Security Device Manager (ASDM) tool bar Choose Device Setup from the navigation pane. Choose Routing from the menu pane. Choose Multicast from the Routing sub menu. The Enable Multicast pane is displayed. Check the Enable Multicast routing check box. Click Apply. The multicast-routing command is sent to the security appliance, enabling multicast routing, (© 2008 Cisco Systems, Inc. Using Cisco ASA Multicast A25IGMP This topic describes the steps necessary to configure IGMP on the Cisco ASA security appliance. IGMP Access Group EERE RRS Ais, eee eee mt IP hosts use IGMP to report their group memberships to local multi contro! appliance. To configure IGMP on the security applian step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 routers. Access groups the multicast groups that are allowed on an interface of the Cisco ASA security . complete these steps: Choose Access Group from the IGMP section of the Multicast menu pane, ‘The Access Group pane is displayed. Click the Add button to add an appears. cess group. The Add Access Group window Choose the interfa me from the drop-down list to allow this access group. In this nple, the “outside” interface is chosen because access is being allowed to the 5.1.1.2 multicast group, Choose the action fi the drop-down list. This action defines whether or not the access group is permitted or denied. In this example, the access group is permitted. Enter the multicast IP address in the M multicast group of 225.1.1.2 is entered, st Group field. In this example, the Choose the network mask for the multicast group in the Netmask drop-down list. In this example, a network mask for a single host, 255.255.255.255, is chosen, Click OK. A286 ‘Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IncIGMP Protocol Configuration The protocol pane displays the IGMP configurat (ereamemenvae FB Gi Om ya anes 18 parameters for each interface on the Cisco ASA security appliance. Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Choose Protocol from the IGMP s displayed. jon of the menu pane. The Protocol pane is ‘Choose the interface to configure and click the Edit button, The Configure IGMP Parameters window appears Check the Enable IGMP check box to enable IGMP on th enable multicast routing on the security appliance, IGMP this example, the check box is left unchanged. (Optional) Choose the version of IGMP to be enabled on the interface from the Version drop-down list. Choosing | enables IGMP version 1. Choosing 2 enables IGMP version 2 (IGMP¥2). By default, the security appliance uses IGMPv (Optional) Enter the interval in the Query Interval field for the designated router to send IGMP host-query messages. Valid values range from | to 3600 seconds. The default value is 125 seconds. (Optional) Enter the period of time in the Query Timeout field that the security appliance will wait before taking over querying after the previous query has stopped Valid values range from 60 to 300 seconds. The default valu seconds, (Optional) Enter the maximum response time in the Response Time field that is advertised in IGMP queries. Ifthe Cisco ASA security appliance does not rec any host reports within the designated response time, the IGMP group is pruned or removed. Decreasing this value lets the security appliance prune groups faster. Valid values range from | to 12 seconds, The default value is 10 seconds. Changing this, value is valid only for IGMPv2. {© 2008 Cisco Systems, Inc. Using Cisco ASA Muticast—A27Step 15 Step 16 Multicast hosts are sometimes prevented from answering multicast queries because of (Optional) Enter the maximum number of hosts that can join a multicast group from the interface in the Group Limit field. Valid values range from | to 500. The default value is 500. Choose the name of an interface to forward IGMP host reports from the Forward Interface drop-down list. Choose “none” to disable host report forwarding. By default, host reports are not forwarded, In this example, the Cisco ASA security appliance is enabled as an IGMP proxy and forwards reports out the outside interface. IGMP Static Group m} etwork, configurations. One way to allow query reports from a host behind the Cisco ASA security appliance is to enable static groups as part of the multicast configuration. When static groups are configured, the security appliance proxies the multicast reports from the host to the IGMP. router Step 17 Step 18 Step 19 Step 20 Step 21 Choose the Statie Group option from the Multicast section of th Static Group pane is displayed menu pane. The Click the Add button to add a static group to the security appliance. Choose the interface name from the drop-down list. In this example, the c interface is chosen. side Enter the IP address of the multicast group in the Multicast Group Address field Click OK. 8 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, IncIGMP Join Group Another way to handle a multicast client that cannot answer queries is to configure a join group on the Cisco ASA security appliance. It allows the security appliance to act for a client that may not be able to respond through IGMP but still requires reception. With a join group, the interface on the security appliance becomes a part of the group to facilitate IGMP queries. Step 22 Choose J is displayed. Group from the IGMP section of the menu pane, The Join Group pane Step 23. Choose the interface name from the drop-down list for the interfa added to the multicast group membership. In this example, the chosen ice that will be inside” interface is Step 24 Enter the IP address of the multicast group in the Multicast Group Address field, In this example, the IP address 225. 1.1.20 is entered. Step 25 Click OK. Step 26 Click Apply. In most configurations, a multicast group on the security appliance would be configured for a static group or a join group, but not likely both, However, for the purpose of explanation, a join group is added to the configuration, {© 2008 Cisco Systems, Ine Using Cisco ASA Multicast ASIGMP Commands J Fanaa aaa fF | | Stommenn zr 120 sit we eon In the figure, the Cisco ASA security appliance is configured for IGMP multicast. IGMP is explicitly enabled on interface GigabitEthernet0/0 and GigabitEthernetO/|. Interface igabitEtheme10/0 has a static multicast group assigned to it, and the multicast group 225.1.1.2 is permitted. GigabitEthemet0/1 is actively participating in IGMP because it has a join group assigned to it. ‘A210. Securing Networks with Cisco ASA Advanced (SNAA) v1.0 ©2008 Cisco Systems, ncPIM This topic describes the steps necessary to configure PIM on the Cisco ASA security appliance. PIM Protocol m) Ey se Routers use PIM to maintain forwarding tables for forwarding multicast datagrams. To configure PIM on the secu: Step 1 Step 2 Step 3 step 4 Step 5 Step 6 ty appliance, complete the following steps: Choose Protocol from the PIM section of the Multicast option in the menu pane The Configure PIM Parameters pane is displayed. Choose the specific interface within the pane and click the Edit button. The Edit PIM Protocol window appears. Uncheck the Enable PIM check box to disable PIM on the chosen interface. When ‘you enable multicast routing on the security appliance, PIM is enabled on all interfaces by default. You can disable PIM on a per-interface basis. In this example, PIM is disabled on the partner_dnvz interface. What is not shown in this example is. that the administrator has disabled PIM on all DMZ interfaces and on the Management interface. (Optional) Choose the DR Priority for this interface; this sets the designated router priority. The router with the highest DR priority on subnet becomes the designated router. Valid values range from 0 to 4294967294. The default DR priority is 1 Setting this value to 0 makes the security appliance interface ineligible to become the default router. (Optional) Enter the frequency for PIM hello messages in the Hello Interval field Valid values range from 1 to 3600 seconds, The default value is 30 seconds. (Optional) Enter the frequency for PIM join and prune advertisements in the Jo Prune Interval field. Valid values range from 10 to 600 seconds. The default value is 660 seconds, (© 2008 Cisco Systems, le. Using Gisco ASA Multicast A2-11Step7 Click OK. The Cisco ASA security appliance supports both stub multicast routing and PIM multicast routing. However, you cannot configure both concurrently on a single security appliance mam Est When you configure PIM. you must choose one or more routers to operate as the RP. First-hop routers use the RP to send register packets on behalf of the source multicast hosts. You can configure a single RP to serve more than one group, and you can configure more than one RP. However, you cannot have more than one entry with the same RP. Step8 Choose Rendezvous Point from the PIM section of the Multicast option of menu pane. The Rendezvous Point pane is displayed. Step 9 (Optional) Check the Generate IOS compatible register messages check box if your RP is a Cisco IOS router, By default, rather than use the Ciseo IOS software method, the Cisco ASA security appliance software accepts register messages with the checksum on the PIM header and only the next 4 bytes. By checking this check box, the security appliance accepts register messages with the checksum on the ire PIM message for all PIM message types. In this example, the check box is -ked because there is a Cisco IOS router upstream: Step 10 Click the Add button. The Add Rendezvous Point window appears, Step 11 Enter the IP address of the RP in the Rendezvous Point IP Address field. This is the unicast address ofthe RP. In this example, the IP address of the outside interface, 192.168.1.2, is entered, Step 12 (Optional) Check the Use bi-directional forwarding check box if you want the specified multicast groups to operate in bidirectional mode. Uncheck this check box if you want the specified multicast groups to operate in sparse mode. In this, ‘example, the RP is configured for sparse mode. A242 ‘Securing Networks wih Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, neNote Step 13 Step 14 Step 15 ‘The Cisco ASA security appliance always advertises the bidirectional capability in the PIM hello messages regardless of the actual bidirectional configuration, Choose the Use this RP for All Multicast Groups option to use the specified RP for all multicast groups on the interface. In the example, this option is chosen Choose the Use this RP for the Multicast Groups as specified below option to designate the multicast groups to use with specified RP. This option allows you to specify which multicast groups the RP is used for. Click OK. {© 2008 Cisco Systems, e Using Cisco ASA Mutticast A213,When the C sourees from I. ASA security appliance is acting as an RP, you can restrict spec gistering with the multicast group. This prevents unauthorized sources from registering with the RP. Step 16 Step 17 Step 18 Step 18 Step 20 Step 21 Step 22 Step 23 Stop 24 Choose Request Filters from the PIM section of the Multicast option of the menu pane. The Request Filters pane is displayed. Click the Add button to add a request fi displayed. te. The Request Filter Entry window is, Choose the action from the drop-down list to create a rule that allows or denies the specified source of the specified multicast traffic to register with the security appliance, The available options are permit and deny. In this example, deny is, chosen. Enter the source IP address for the source of the register message. In this example, the IP address of 172.16.1.100 is entered because this is the IP address or the rogue multicast server. nter or choose the network mask from the Source Netmask drop-down list for the source of the register message. In this example, the address 255.255.255.255 is chosen. Enter the multicast destination address in the Destination IP Address field. In this example, the destination IP address of 225.1.1.20 is entered, Enter or choose the network mask in the Destination Netmask field for the multicast destination, Click OK. Click Appl A214 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncPIM Commands seo ms) lie Senden pnts 172 16.100 ot 283.120) Re terbiommpmeaceaeaonseacaae | Seirsiels F e.. ‘The figure shows the commands sent to the Cisco ASA security appliance based on the PIM Configuration, PIM is disabled on interface GigabitEthernet0/2.30 because these interfaces are for DMZ connections and will not have multicast enabled. An access list denies PIM connections from 172.16.1.100 to 225.1.1.20. The access list also has an access control entry (ACE) “permit pim any any” to allow authorized PIM traffic. Lastly, a PIM RP is defined for the IP address of the outside interface, 192.168.1.2 {© 2008 Cisco Systems, inc Using Cisco ASA Muticast —A2-15Static Multicast Routing This topic describes the steps 1 essary to configure static multicast routing. Multicast Routing = Allows independence from unicast routes. = The Cisco ASA security appliance supports static multicast routes, * Defining a multicast route allows specific paths for multicast traffic. The Ciseo ASA sccurity appliance has the ability to perform multicast routing for multicast clients that would not otherwise be able to receive multicast queries or send multicast reports The security appliance supports only static multicast routes. If no multicast routing information is available, routers use the unicast routing information to forward IP datagrams along the path. With static multicast routes, the routers can choose the multicast paths independent of the ‘unicast routing information, The security appliance participates in multicast routing passively because its static multicast routes are local to the security appliance and are not advertised or redistributed. A216 ‘Seeuing Networks with Cisco ASA Advanced (SNAA) v1 0 '© 2008 Cisco Systems, IneTo configure the Cisco ASA security appli ve with static multicast routes, complete the following steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step7 Step 8 Step 9 Choose MRoute from the Multicast options of the menu pane. The MRoute pane is displayed Click the Add button. The Add Multicast Route window appears Enter the IP address of the multicast source in the Source Address field. In this, ‘example, the network address 10.0.1.0 is entered. Enter or choose the network mask in the Source Mask field for the IP address of the multicast source. In this example, the network mask of 255.255.255.0 is entered. ‘Choose the incoming interface from Source Interface drop-down list for the multicast route. (Optional) Choose the outgoing interface from Destination Interface drop-down list for the multicast route. If you specify the destination interface, the route is, forwarded through the chosen interface. If you do not choose a destination interface then Reverse Path Forwarding (RPF) is used to forward the route (Optional) Enter the administrative distance for the static multicast route, Ifthe static ‘multicast route has the same administrative distance as the unieast route, then the static multicast route takes precedence. Click OK. Click Apply. (© 2008 Cisco Systems, ne Using Cisco ASA Multicast A217Multicast Static Route Command et ‘The figure shows the command sent to the Cisco ASA security appliance to configure a static ‘multicast route from the 10.0.1.0 network going out the outside interface. ‘A218 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 cisco Systems, ncVerify and Troubleshoot This topie describes the steps necessary to verify and troubleshoot the multicast configuration on the Cisco ASA security appliance. Verify IGMP Configuration show igmp group (detail | summary) = Displays IGMP group details show igmp interface ~ Displays interface-specific information about IGMP show igmp traffic * Displays tratfic-specific information about IGMP The following commands can be used to verify the current IGMP configuration: = show igmp group detail: Displays a detailed list of the multicast groups with receivers that are directly connected to the security appliance and that were learned through IGMP = show igmp group summary: Displays a s that are directly connected to the security a wy of the multicast groups with receivers pliance and that were learned through IGMP = show igmp interface: Displays IGMP information for all interfaces = show igmp traffie: Displays IGMP traffic statistics (© 2008 Cisco Systems, Inc. Using Cisco ASA Multicast 2-19,Troubleshoot IGMP Configuration debug igmp group group id * Displays debug information about an IGMP group. debug igmp interface interfac * Displays debug information about an IGMP interface ‘The following commands can be used to troubleshoot the current IGMP configuration: © debug igmp group: Displays debug information about an IGMP group debug igmp interface: Displays debug information about an IGMP-configured interface ‘A220 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neVerify PIM Configuration show pim group-map * Displays PIM group-to-protocol mapping information ‘show pim interface + Displays interface-specific information for PIM show pim topology * Displays PIM topology table information show pim traffic * Displays PIM traffic counters The following commands can be used to verify the current PIM configuration: fable for PIM connection @ show pim group-map: Displays group-to-protocol mapping nformation for PIM m= show pim interface: Displays interface-speci = show pim topology: Displays the PIM topology table of the Cisco ASA security appliance = show pim traffic: Displays PIM traffic counters {© 2008 Cisco Systems, nc Using Cisco ASA Multicast A221Troubleshoot PIM Configuration ‘debug pim rp * Displays debug information about PIM RP debug pim interface ® Displays debug information about PIM interfaces debug pim group ® Displays debug information about PIM groups The following commands can be used to troubleshoot the current IGMP configuration = debug pim rp: Displays debug information about a PIM RP = debug pim interface: Displays debug information about a PIM-configured interface = debug pim group: Displays debug information for the specified PIM group [A222 Seouring Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneVerify and Troubleshoot Multicast Routing Configuration show mrib (client route (route summary)] * Displays the Multicast Routing Information Base (MRIB) show mroute * Displays multicast routes ‘debug mfib * Enables debugging for the Multicast Forwarding Information | Base (MFIB) debug arid) = Enables debugging for the MRIB The following commands can be used to verify or troubleshoot the current multicast routing configuration: © show mrib client: Display’ i (MRIB) client connections formation about the Multicast Routing Information Base = show mrib route: Displays entries in the MRIB table = show mrib route summary: Displays a summary of the MRIB table entries = show mroute: Displays multicast routes © debug mfib: Enables or disables debugging for the Multicast Forwarding Information Base (MFIB) = debug mrib: Enables or disables debugging for the MRIB Each of the debug commands listed in this section can be removed by u its no form, (© 2008 Cisco Systems, Ine Using Cisco ASA Multicast A225,Summary This topic summarizes the key points that were tussed in this appendin. Summary = The Cisco ASA adaptive security appliance has IGMP and PIM ‘multicast functionalities. = IGMP multicast allows clients that want to receive a multicast stream, to send a report to a local router, while PIM is used to route multicast from a source to its receivers. = When the security appliance is configured for IGMP, it acts like 3 proxy for multicast receiving clients located behind it * When the security appliance is configured for PIM, it participates Passively in building paths to multicast clients and can have an Interface configured as an RP for clients that are prevented from reporting to the RP. » The show igmp and show pim commands allow for verification of the security appliance configuration, while the debug igmp and debug pim commands allow for troubleshooting of the configuration ‘A224 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 1© 2008 Cisco Systems, Inc