ASA-SIP-Stn

AL; Reviewed: SPOC 1/15/2009

Solution & Interoperability Test Lab Application Notes ©2009 Avaya Inc. All Rights Reserved.

1 of 15 ASA-SIP-Stn

Avaya Solution & Interoperability Test Lab

Sample Configuration for Cisco Adaptive Security Appliance 5520 to interoperate with Avaya SIP IP Telephones using Network Address Translation – Issue 1.0

Abstract These Application Notes describe the steps for configuring the Cisco Adaptive Security Appliance (ASA) 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones using Network Address Translation (NAT). SIP Application Inspection functionality enabled on the ASA 5520 manages the dynamically opening and closing of the UDP ports needed by media traffic.



2 of 15 ASA-SIP-Stn

1. Introduction These Application Notes describe a sample configuration for configuring the Cisco ASA 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones registering with Avaya SIP Enablement Server (SES). The ASA 5520 serves as a consolidated platform for VPN gateway and firewall. These Application Notes focus on the SIP support of the firewall functionality.

2. Overview The Cisco ASA 5520 is a firewall device capable of supporting a comprehensive set of security features such as firewalling, SSL/IPsec VPN termination, and intrusion prevention. The ASA 520 shown in Figure 1 is configured as a firewall to interoperate with Avaya SIP Enablement Server (SES) and Avaya SIP IP Telephones. The SIP Application Inspection feature of the ASA 5520 will dynamically open and close the necessary UDP ports needed for media traffic. In addition, Network Address Translation is deployed to hide the actual internal IP address from the untrusted network. Both Static and Dynamic NAT method are employed in the sample network. Avaya SES and download server are Statically NATed while media traffic to and from Avaya IP Telephones are dynamically NATed to a pool of IP addresses belonging to the Untrusted IP network.



3 of 15 ASA-SIP-Stn

3. Configuration Figure 1 illustrates the configuration used in these Application Notes. All Avaya IP Telephones are registered with Avaya Communication Manager connected to the 172.28.10.0/24 IP network. All Avaya IP Telephones are assigned to the same IP network region within Avaya Communication Manager. All Avaya IP Telephones obtains their IP address from the DHCP server. All Avaya 9600 Series IP Telephones located in the Untrusted IP network are configured for non-Avaya environment and to use UDP as their transport protocol for signaling.

Figure 1: Sample Network Configuration



4 of 15 ASA-SIP-Stn

4. Equipment and Software Validated The following equipment and software/firmware were used for the sample configuration:

DEVICE DESCRIPTION VERSION TESTED

Avaya S8500 Server with G650 Media Gateway R015x.00.0.825.4 Avaya SIP Enablement Server SES-5.0.0.0-825.31 Avaya 4621SW IP Telephone (SIP) 2.2.2 Avaya 4610SW IP Telephone (SIP) 2.2.2 Avaya 9630 IP Telephone (SIP) 2.2 Avaya 9640G IP Telephone (SIP) 2.2 Cisco Adaptive Security Appliance (ASA) 5520 7.2(4)

5. Configure Cisco ASA 5520 This section describes the configuration for Cisco ASA 5520 as shown in Figure 1 using the Command Line Interface (CLI). It is assumed that the basic configuration needed to connect into the Cisco ASA 5520 has been completed. Annotation is shown between the blue “#” signs. Appendix A shows screen captures from Cisco Adaptive Security Device Manager (ASDM) for reference and illustration.

1. Log into the Cisco ASA 5520 and enter enable mode using appropriate credential. 2. Enter into configuration mode by typing “configure terminal”. 3. Below is the configuration for the ASA 5520.

# # -------------------------------------------------------- # # -------------- CONFIGURE INTERFACES -------------------- # # -------------------------------------------------------- # # interface GigabitEthernet0/0 nameif Untrust security-level 0 ip address 172.29.99.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif 172.29.5.X security-level 90 ip address 172.29.5.41 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown



5 of 15 ASA-SIP-Stn

no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 172.16.254.115 255.255.255.0 management-only ! # # -------------------------------------------------------- # # ----------- CONFIGURE USER FRIENDLY NAME --------------- # # ------------- TO FACILITATE REFERENCING ---------------- # # -------------------------------------------------------- # # ----- 172.29.99.0 is the Untrust side IP network ------- # # ----- 172.29.99.10 is the NAT address for Avaay SES ---- # # -- 172.29.99.12 is the NAT address for download server - # # -------------------------------------------------------- # # names name 172.28.10.12 download-Srvr name 172.28.10.10 Avaya-SES name 172.29.99.0 Voice-network name 172.29.99.12 Outside-Dn-Srvr name 172.29.99.10 Outside-Avaya-SES dns-guard ! # # -------------------------------------------------------- # # ------------- CONFIGURE ACCESS LIST -------------------- # # -------------------------------------------------------- # # ---------- The following 3 rules are used -------------- # # --- 1st rule allows download of firmware and --- # # --------- configuration from download server ----------- # # --- 2nd rule allows Avaya IP Telephone -------------- # # ------- to register with Avaya Communication Manager --- # # --- 3rd rule allows SIP signaling to/from CLANs ---- #m # -------------------------------------------------------- # # ---- RTP port for Avaya IP Telephone traffic will ------ # # --- be dynamically opened and closed by the ASA 5520 --- # # ----------- therefore no access list is needed --------- # # -------------------------------------------------------- # # access-list Untrust_access_in extended permit tcp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq 411 log access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq tftp access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Avaya-SES eq sip log access-list Untrust_access_in extended deny ip any any log access-list Untrust_access_in extended permit icmp any any log inactive # # -------------------------------------------------------- #



6 of 15 ASA-SIP-Stn

# -------------------- CONFIGURE NAT --------------------- # # -------------------------------------------------------- # # ---- Configure a pool of IP address for dynamic NAT ---- # # ------------------------- and -------------------------- # # ----- static NAT for Avaya SES and download server ----- # # -------------------------------------------------------- # # nat-control global (Untrust) 1 172.29.99.41-172.29.99.45 netmask 255.255.255.0 nat (172.29.5.X) 1 172.28.10.0 255.255.255.0 nat (management) 0 0.0.0.0 0.0.0.0 static (172.29.5.X,Untrust) Outside-Avaya-SES Avaya-SES netmask 255.255.255.255 static (172.29.5.X,Untrust) Outside-Dn-Srvr download-Srvr netmask 255.255.255.255 # # -------------------------------------------------------- # # ------------------- CONFIGURE ROUTING ------------------ # # -------------------------------------------------------- # # route 172.29.5.X 172.29.0.0 255.255.0.0 172.29.5.1 1 route 172.29.5.X 172.28.0.0 255.255.0.0 172.29.5.1 1 # # -------------------------------------------------------- # # ----------------- CONFIGURE DHCP RELAY ----------------- # # -------------------------------------------------------- # # dhcprelay server download-Srvr 172.29.5.X dhcprelay enable Untrust ! # # -------------------------------------------------------- # # --------- BELOW IS THE DEFAULT CONFIGURATION FOR ------- # # ------- CLASS-MAP, POLICY-MAP, AND SERVICE-POLICY------- # # ------------ SHOWN FOR ILLUSTRATION PURPOSE ------------ # # --------- VERIFY INSPECT SIP MUST BE INCLUDED ---------- # # -------------------------------------------------------- # # access-group Untrust_access_in in interface Untrust timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy



7 of 15 ASA-SIP-Stn

class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:b61b906e869db6c1f417f9e139425851 : end

6. Configuring DHCP Server This section shows the configuration on the DHCP server.

1. In addition to configuring the address pool, three Scope Options are configured for use by Avaya IP Telephones. The Scope Options information is as follows.

Option Value

3 172.29.99.1 176 TFTPSRVR=172.29.99.12 242 HTTPSRVR=172.29.99.12

Note that the IP address for TFTPSRVR, and HTTPSRVR are that of the translated IP address and not the real IP address of the download server.



8 of 15 ASA-SIP-Stn

7. Configuring Avaya 9600 Series IP Telephone This section describes the basic configuration for Avaya 9600 Series IP Telephones in this solution. For additional information on how to configure Avaya 9600 Series IP Telephone, please consult reference [4].

1. Access the Avaya 9600 Series IP Telephone menu option by entering the password using the dialpad on the phone.

2. Select the SIP option and configure the following fields.

a. Avaya Environment: No b. Transport Type: UDP

3. The following is the 46xxsettings.txt file used in the sample network. Notice the

SIPPROXYSRVR, SIPREGISTRAR, MWISRVR, and FILESERVER all point to their respective NATed IP address.

SET SIPDOMAIN "interop.com" SET SIPPROXYSRVR "172.29.99.10" SET SIPREGISTRAR "172.29.99.10" SET MWISRVR "172.29.99.10 SET FILESERVER "172.29.99.12" SET DSTOFFSET "1" SET DSTSTART "1SunApr2L" SET DSTSTOP "LSunOct2L" SET GMTOFFSET "-5:00" SET DATESEPARATOR "-" SET DATETIMEFORMAT "1" SET CALLFWDSTAT "0" SET COVERAGEADDR "" SET DIALPLAN "11xxx" SET SIPPORT "5060"

.



9 of 15 ASA-SIP-Stn

8. Verification The following steps may be used to verify the configuration:

1. Use the “show sip” command on the Cisco ASA 5520 to view the status of SIP messaging passing through the firewall.

a. Show sip command output captured during Avaya 9630 IP Telephone registration.

InteropASA# show sip Total: 4 call-id [email protected] CSeq: REGISTER From: sip:[email protected];9d69386d43c2386d5dff_F172.29.99.50 To: sip:[email protected];1DBFE3556F5A4E196F26FFDAF8BCD926122641955624858 state Call init, timeout 0:03:00 idle 0:00:05 Transaction State Timeout Idle Cseq 2 REGISTER Transaction Proceeding0:03:00 0:00:05 call-id [email protected] CSeq: NOTIFY From: sip:[email protected];fssUA_187907935-5155 To: sip:[email protected];1386d43fc386d74de_F172.29.99.50 state Call init, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Idle Cseq 14 NOTIFY Transaction Proceeding0:03:00 0:00:04 Cseq 13 NOTIFY Transaction Proceeding0:03:00 0:00:04 call-id [email protected] CSeq: SUBSCRIBE From: sip:[email protected];-120ca386d43c2-8_F172.29.99.50 To: sip:[email protected];fssUA_235398556-5155 state Active, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Idle Cseq 3 NOTIFY Transaction Proceeding0:03:00 0:00:04 Cseq 2 NOTIFY Transaction Proceeding0:03:00 0:00:05



10 of 15 ASA-SIP-Stn

Cseq 2 SUBSCRIBE Transaction Proceeding0:03:00 0:00:06 call-id [email protected] CSeq: NOTIFY From: sip:[email protected];fssUA_4124133585-5155 To: sip:[email protected];-deda386d43be-8_F172.29.99.50 state Call init, timeout 0:03:00 idle 0:00:07 Transaction State Timeout Idle Cseq 5 NOTIFY Transaction Proceeding0:03:00 0:00:08 Cseq 4 NOTIFY Transaction Proceeding0:03:00 0:00:08

b. Show sip command output captured during Avaya 4610SW IP Telephone registration.

InteropASA# show sip Total: 2 call-id [email protected] CSeq: SUBSCRIBE From: sip:[email protected];1aa7a0be3a1cbf5 To: sip:[email protected];fssUA_3628314560-5155 state Active, timeout 0:03:00 idle 0:00:03 Transaction State Timeout Idle Cseq 3 NOTIFY Transaction Proceeding0:03:00 0:00:03 Cseq 2 NOTIFY Transaction Proceeding0:03:00 0:00:04 Cseq 718351984 SUBSCRIBE Transaction Proceeding0:03:00 0:00:04 call-id [email protected] CSeq: REGISTER From: sip:[email protected];6320fb0886e8a83 To: sip:[email protected];1DBFE3556F5A4E196F26FFDAF8BCD926122641865424700 state Call init, timeout 0:03:00 idle 0:00:04 Transaction State Timeout Idle Cseq 1751314095 REGISTER Transaction Proceeding0:03:00 0:00:04




c. Show sip command output captured during call establishment between Avaya 4610SW and Avaya 9640G IP

Telephones.

InteropASA# show sip Total: 1 call-id [email protected] CSeq: INVITE From: sip:[email protected];a7c87950fb25b87 To: sip:[email protected];0c0943e6bedd12b2b4934aa6400 state Active, timeout 0:30:00 idle 0:00:01 Transaction State Timeout Idle Cseq 1 INVITE Transaction Proceeding0:03:00 0:00:01 Cseq 509461248 INVITE Transaction Proceeding0:03:00 0:00:01 InteropASA#




9. Conclusion These Application Notes described the administrative steps required to configure the Cisco ASA 5520 to support an Avaya VoIP solution consisting of Avaya SIP Enablement Server and Avaya 4600 and 9600 Series SIP IP Telephones in a NAT environment. The ASA 5520 correctly performed network address translation for Avaya SES and media traffic IP addresses in the sample network.

10. Additional References Product documentation for Avaya products may be found at http://support.avaya.com [1] Administrator Guide for Avaya Communication Manager, Doc # 03-300509, Issue

4.0, Release 5.0, January 2008 [2] Avaya Communication Manager Advanced Administration Quick Reference, Doc #

03-300364, Issue 4, Release 5.0, January 2008 [3] Administration for Network Connectivity for Avaya Communication Manager, Doc #

555-233-504, Issue 13, January 2008 [4] Avaya One-X Deskphone Edition for 9600 Series SIP IP Telephones Installation and

Maintenance, Doc # 16-603159, Issue 1, September 2008 Product documentation for Cisco Systems products may be found at http://www.cisco.com [5] Cisco Security Appliance Command Line Configuration Guide, Software Version

7.0(4), Part Number: OL-6721-02




11. Appendix A – ASDM screen captures This section contains screen captures from Cisco Adaptive Security Device Manager (ASDM). These screen captures serves as illustration to the accompanying configuration shown in Section 5.

1. ASA 5520 interface configuration.

2. IP Names and Network Object Groups used in the configuration.

3. ASA 5520 firewall rules.




4. NAT configuration.




©2009 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected]

Date post:	22-Oct-2014
Category:	Documents
Upload:	mihaela-pohaci
View:	42 times
Download:	0 times

ASA-SIP-Stn

Documents