Chapter 22
Applying Application Layer Protocol Inspection
NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00
NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00
SCCP (Skinny) Sample Configuration
Figure 22-18
Figure 22-18
Cisco 7960
Skinny phone
See the following configuration for this example:
hostname(config)# interface Vlan100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 209.165.201.2 255.0.0.0
hostname(config-if)# !
hostname(config-if)# interface Vlan50
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.100.100.2 255.0.0.0
hostname(config-if)# !
hostname(config-if)# interface Vlan90
hostname(config-if)# nameif callmgr
hostname(config-if)# security-level 75
hostname(config-if)# ip address 209.165.201.254 255.0.0.0
TFTP port is enabled for the IP address of the CallManager so that phones on the inside and outside can
download configuration files from the CallManager for initial setup. TCP Port 2000 is enabled for the
IP address of the CallManager so that skinny signaling can pass the module between the phone and the
CallManager through firewall module.
hostname(config-if)# access-list voice extended permit udp any host 209.165.201.210 eq
tftp
hostname(config)# access-list voice extended permit tcp any host 209.165.201.210 eq 2000
Apply the above access lists on the inside and outside interfaces for incoming traffic:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
r - portmap, s - static
shows a sample configuration for SCCP (Skinny) inspection:
SCCP (Skinny) Inspection Setup
vlan 50
inside
IP
10.100.100.2
FireWall Service module
CallManager
M
209.165.201.210
vlan 90
209.165.201.254
CallManager
outside
209.165.201.2
(FWSM)
Skinny (SCCP) Inspection
vlan 100
IP
Cisco 7960
Skinny phone
22-93