Table Of Contents
Cisco Unified Communications Trusted Firewall Control
Prerequisites for Cisco Unified Communications Trusted Firewall Control
Restrictions for Cisco Unified Communications Trusted Firewall Control
Information About Cisco Unified Communications Trusted Firewall Control
How to Configure Cisco Unified Communications Trusted Firewall Control
Configuration Examples for Cisco Unified Communications Trusted Firewall Control
Feature Information for Cisco Unified Communications Trusted Firewall Control
stun usage firewall-traversal flowdata
Cisco Unified Communications Trusted Firewall Control
First Published: December 15, 2008
Cisco Unified Communications Trusted Firewall Control pushes intelligent services onto the network through a Trusted Relay Point (TRP) firewall. Firewall traversal is accomplished using Session Traversal Utilities for NAT(STUN) on a TRP colocated with a Cisco Unified Communications Manager Express (Cisco Unified CME) or a Cisco Unified Border Element.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Cisco Unified Communications Trusted Firewall Control" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Cisco Unified Communications Trusted Firewall Control
•Restrictions for Cisco Unified Communications Trusted Firewall Control
•Information About Cisco Unified Communications Trusted Firewall Control
•How to Configure Cisco Unified Communications Trusted Firewall Control
•Configuration Examples for Cisco Unified Communications Trusted Firewall Control
•Feature Information for Cisco Unified Communications Trusted Firewall Control
Prerequisites for Cisco Unified Communications Trusted Firewall Control
•Be sure that you have the correct platform to support this feature. Cisco Unified Communications Trusted Firewall Control is supported on the Cisco 1861, 2801, 2811, 2821, 2851, 3825, and 3845 platforms.
•Cisco IOS Release 12.4(22)T.
•TRP colocated with Cisco IOS firewall
– TRP + Cisco IOS firewall on the same box as Cisco Unified CME and Cisco Unified Border Element
– c28xx, c1861, and c38xx and platforms
– adventerprisek9 and advipservicesk9 packages
Restrictions for Cisco Unified Communications Trusted Firewall Control
Cisco IOS Release 12.4(22)T implements firewall traversal for media using STUN on TRP and is only supported on:
•Cisco Unified CME colocated with TRP
•Cisco Unified Border Element colocated with TRP (limited call flows)
TRP is only supported for the following control agents:
•Cisco Unified CME and Cisco Unified Border Element which are STUN-aware
•Cisco Unified CME for SIP trunks
Supported:
– SCCP/SIP line to SIP trunk audio calls
–Cisco IOS firewall on the SIP trunk side
– SIP over UDP/TCP
– RTP and SRTP
Not Supported:
–Cisco IOS firewall on line side
– Video, RSVP, IPv6
•Cisco Unified Border Element for SIP to SIP call flows
Supported:
– SIP to SIP flow-through audio calls
– SIP over UDP/TCP
– REFER-based supplementary services
– SIP to SIP DTMF inter-working
– In-box transcoding
Not Supported:
– High density transcoding (transcoder optimization)
– Re-INVITE based supplementary services
– Video, RSVP, IPv6
Other restrictions:
•Unauthenticated Keepalives
–When a pinhole is opened, the Cisco IOS firewall expects only UDP packets.
–TRP sends periodic STUN binding indications containing only the STUN header.
–Keepalives do not contain any token and are not authenticated by the Cisco IOS firewall.
•No explicit close pinhole message
–There is no explicit close pinhole message from TRP.
–The pinhole times out at the Cisco IOS firewall when no UDP packets are received.
•No prering support
–No guarantee that STUN open pinhole packet reaches the Cisco IOS firewall before the first RTP packet.
–Possible initial RTP packet drops at the Cisco IOS firewall.
•Cisco IOS firewall control session timeout
–ACLs must be configured on the Cisco IOS firewall to allow SIP signaling.
–The Cisco IOS firewall control sessions timeout if no SIP messages are exchanged.
–Timed out SIP over UDP sessions are re-established with the next SIP message (for example, BYE).
–Timed out SIP over TCP sessions are not re-established, causing subsequent SIP messages (for example, BYE) to be dropped.
Information About Cisco Unified Communications Trusted Firewall Control
Firewall traversal for end-to end VoIP calls poses several problem:
•VoIP protocols use many ports for a single communication session. It is not possible to configure static rules for a large range of ports.
•Limiting the RTP port range is not supported by most endpoints.
•An application layer gateway (ALG) can be costly in terms of system resources and maintenance.
Cisco Unified Communications Trusted Firewall Control builds intelligence into the firewall so that it can open a pinhole (a port that is opened through a firewall to allow a particular application access to the protected network) dynamically when it receives a STUN request for a media flow. This request is authenticated/authorized by the firewall to ensure that it opens pinholes only for genuine calls.
Cisco Unified Communications Trusted Firewall Control provides:
•Increased firewall performance while opening firewall ports in the media path dynamically when a VoIP call is made between two endpoints.
•Simplification of firewall policy configuration and integration of firewall policy generation with call control.
•No compromising on network security
•Firewall traversal
Flowdata refers to CISCO-STUN-FLOWDATA, a comprehension-optional Cisco proprietary STUN attribute. If a STUN agent does not understand the attribute, the agent must ignore it. This attributes identifies an RTP or RTCP flow to the firewall and contains a Crypto Acceptance Token (CAT), which the firewall uses to authenticate the sender of the STUN message—the TRP. See RFC 5389 for more information.
Figure 1 shows a topology for Cisco Unified Communications Trusted Firewall Control.
Figure 1 Cisco Unified Communications Trusted Firewall Control Topology 1
How to Configure Cisco Unified Communications Trusted Firewall Control
To configure firewall traversal, perform the following steps:
Prerequisites
•The firewall must be configured with an agent ID and shared secret, which must be the same as those configured on the call agent.
!parameter-map type protocol-info stun-ice stun-paramsauthorization agent-id 15 shared-secret ciscopasswd1234 cat-window 10!•Zone security configuration on the interface locks the interface. Only the traffic specified in the policy is allowed. To allow ICMP pings between the two interfaces, configure a new class map as follows:
!class-map type inspect icmp-classmatch protocol icmp!Add the class to the policy map as follows:
!policy-map type inspect stun-policyclass type inspect stun-classinspectclass type inspect icmp-classpass!•Configure a policy to allow SIP traffic through the firewall.
For information on configuring zone-based Cisco IOS firewalls, see: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
SUMMARY STEPS
1. enable
2. configure terminal
3. voice service voip
4. stun
5. stun flowdata agent-id tag
6. stun flowdata shared-secret string
7. stun flowdata keepalive seconds
8. exit
9. voice class stun-usage tag
10. stun usage firewall-traversal flowdata
11. exit
12. dial-peer voice tag voip
13. voice-class stun-usage tag
14. end
DETAILED STEPS
Verifying Firewall Traversal
Use the show policy-map type inspect zone-pair sessions command to display information about policy maps.
Configuration Examples for Cisco Unified Communications Trusted Firewall Control
The following is a sample configuration for Cisco Unified Communications Trusted Firewall Control:
CUBE2-3825#show running configBuilding configuration...Current configuration : 3594 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msec localtime show-timezoneno service password-encryptionservice internal!hostname CUBE2-3825!boot-start-markerboot system flash:c3825-ipvoice-mz.stun_stack_dtboot-end-marker!logging message-counter sysloglogging buffered 9999999no logging console!no aaa new-modelclock timezone IST 5no network-clock-participate slot 1!dot11 syslogip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3ip cef!!no ip domain lookupno ipv6 cef!multilink bundle-name authenticated!!voice-card 0no dspfarm!voice-card 1no dspfarm!!voice dsp waitstate 0!voice service voipaddress-hidingallow-connections h323 to sipallow-connections sip to h323allow-connections sip to sipfax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback ciscostunstun flowdata agent-id 35stun flowdata shared-secret 123xyz123xyzstun flowdata keepalive 5sip!!voice class codec 1!!voice class stun-usage 10stun usage firewall-traversal flowdata!!!voice iec syslog!no memory litearchivelog confighidekeys!!ip ftp username testip ftp password test123!!interface Loopback0no ip address!interface GigabitEthernet0/0ip address 9.13.23.6 255.255.255.0duplex autospeed automedia-type rj45no keepalive!interface GigabitEthernet0/1no ip addressshutdownduplex autospeed automedia-type rj45no keepalive!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 9.13.23.1ip route 1.1.1.0 255.255.255.0 9.13.24.7ip route 9.13.24.0 255.255.255.0 9.13.23.7ip http serverno ip http secure-server!!tftp-server flash:P0S3-08-4-00.sb2tftp-server flash:P0S3-08-4-00.loadstftp-server flash:P003-08-4-00.sbntftp-server flash:P003-08-4-00.bintftp-server flash:OS79XX.TXT!control-plane!call treatment on!!voice-port 1/0/0!voice-port 1/0/1shutdown!ccm-manager fax protocol cisco!mgcp fax t38 ecm!!dial-peer voice 1 voipdestination-pattern 2...session protocol sipv2session target ipv4:9.13.23.5codec g711ulaw!dial-peer voice 11 voipvoice-class stun-usage 10session protocol sipv2session transport udpincoming called-number 2...codec g711ulaw!sip-uaprotocol mode ipv4!!gatekeeperirq global-requestshutdown!alias exec t test stun!line con 0exec-timeout 0 0line aux 0line vty 0 4no logintransport input none!exception data-corruption buffer truncatescheduler allocate 20000 1000ntp server 9.13.0.10endAdditional References
The following sections provide references related to Cisco Unified Communications Trusted Firewall Control.
Related Documents
Related Topic Document TitleIP Application Services Configuration
IP Application Services Command Reference
Cisco Unified CME Command Reference
Cisco Unified Communications Manager Express Command Reference
All other Cisco IOS Command Reference guides
Various titles located at http://www.cisco.com/en/US/customer/products/ps6350/prod_command_reference_list.html
Routers Support Resources
Standards
Standard TitleNo new or modified standards are supported, and support for existing RFCs has not been modified.
—
MIBs
RFCs
Technical Assistance
Feature Information for Cisco Unified Communications Trusted Firewall Control
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation and the master command list.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for Cisco Unified Communications Trusted Firewall Control
Feature Name Releases Feature InformationCisco Unified Communications Trusted Firewall Control
12.4(22)T
Cisco Unified Communications Trusted Firewall Control pushes intelligent services into the network through Trust Relay Point (TRP).
The following sections provide information about this feature:
•"Information About Cisco Unified Communications Trusted Firewall Control" section
•"How to Configure Cisco Unified Communications Trusted Firewall Control" section
The following commands were introduced: stun; stun flowdata agent-id; stun flowdata keepalive; stun flowdata shared-secret; stun usage firewall-traversal flowdata; voice class stun-usage; voice-class stun-usage.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
Command Reference
This section documents only commands that are new or modified.
•stun
•stun flowdata agent-id
•stun flowdata keepalive
•stun flowdata shared-secret
•voice class stun-usage
•stun usage firewall-traversal flowdata
•voice-class stun-usage
stun
To enter STUN configuration mode for configuring firewall traversal parameters, use the stun command in voice-service voip configuration mode. To remove STUN parameters, use the no form of this command.
stun stun
Syntax Description
stun
Stun configuration parameters:
•stun flowdata agent-id
•stun flowdata keepalive
•stun flowdata shared-secret
Command Default
No default behavior or values.
Command Modes
Voice-service voip configuration (config-voi-serv)
Command History
Usage Guidelines
Use this command to enter the configuration mode to configure firewall traversal parameters for VoIP communications.
Examples
The following example shows how to enter STUN configuration mode.Router(config)# voice service voipRouter(config-voi-serv)# stunRelated Commands
stun flowdata agent-id
To configure the STUN flowdata agent ID, use the stun flowdata agent-id command in STUN configuration mode. To return to the default value for agent ID, use the no form of this command.
stun flowdata agent-id tag
no stun flowdata agent-id
Syntax Description
Command Default
No firewall traversal is performed.
Command Modes
STUN configuration (conf-serv-stun)
Command History
Usage Guidelines
Use the stun flowdata agent-id command to configure call control agents which authorize the flow of traffic to the firewall. The show run all command displays the default value as -1.
Examples
The following example shows how to set stun flowdata agent ID to 35.
Router(config)# voice service voipRouter(config-voi-serv)# stunRouter(config-serv-stun)# stun flowdata agent-id 35Router(config-serv-stun)# stun flowdata shared-secret 123abc123abcRouter(config-serv-stun)# stun flowdata keepalive 5Related Commands
stun flowdata keepalive
To configure the keepalive interval, use the stun flowdata keepalive command in STUN configuration mode. To return to the default keepalive value, use the no form of this command.
stun flowdata keepalive seconds
no stun flowdata keepalive
Syntax Description
.
Command Default
The default keepalive value is 10 seconds.
Command Modes
STUN configuration (conf-serv-stun)
Command History
Usage Guidelines
Keepalives are application connections TRP generates to keep firewall pinholes open.
Examples
The following example shows how to change the stun flowdata keepalive interval from the default value (10) to 5 seconds.
Router(config)# voice service voipRouter(config-voi-serv)# stunRouter(config-serv-stun)# stun flowdata agent-id 35Router(config-serv-stun)# stun flowdata shared-secret 123abc123abcRouter(config-serv-stun)# stun flowdata keepalive 5Related Commands
stun flowdata shared-secret
To configure a secret shared on a call control agent, use the stun flowdata shared-secret command in STUN configuration mode. To return the shared secret to the default value, use the no form of this command.
stun flowdata shared-secret string
no stun flowdata shared-secret
Syntax Description
Command Default
The default value of this command sets the shared secret to an empty string. No firewall traversal is performed when the shared-secret has the default value.
Command Modes
STUN configuration (conf-serv-stun)
Command History
Usage Guidelines
A shared secret on a call control agent is a string that is used between a call control agent and the firewall for authentication purposes. The shared secret value on the call control agent and the firewall must be the same.
Examples
The following example shows how to set the shared secret to 123abc123abc.
Router(config)# voice service voipRouter(config-voi-serv)# stunRouter(config-serv-stun)# stun flowdata agent-id 35Router(config-serv-stun)# stun flowdata shared-secret 123abc123abcRouter(config-serv-stun)# stun flowdata keepalive 5Related Commands
Command Descriptionstun
Enters STUN configuration mode.
stun flowdata agent-id
Configures the agent ID.
stun flowdata keepalive
Configures the keepalive interval.
voice class stun-usage
To configure voice class and enter voice class configuration mode, called stun-usage, use the voice-class stun-usage command in global configuration mode. To disable the voice class, use the no form of this command
voice class stun-usage tag
no voice class stun-usage tag
Syntax Description
Command Default
The voice class is not defined.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When the voice-class stun-usage is removed, the same is removed automatically from the dial-peer configurations.
Examples
The following example shows how to set the voice class stun-usage tag to 10000:
Router(config)# voice class stun-usage 10000
Related Commands
Command Descriptionstun usage firewall-traversal flowdata
Enables firewall traversal using STUN.
stun flowdata agent-id
Configures the agent ID.
stun usage firewall-traversal flowdata
To enable firewall traversal using STUN, use the stun usage firewall-traversal flowdata command in voice class stun-usage configuration mode. To disable firewall traversal with STUN, use the no form of this command.
stun usage firewall-traversal flowdata
no stun usage firewall-traversal flowdata
Syntax Description
This command has no parameters.
Command Default
Firewall traversal using STUN is not enabled.
Command Modes
Voice-class configuration (config-class)
Command History
Examples
The following example shows how to enable firewall traversal using STUN:
Router(config)# voice class stun-usage 10Router(config-class)# stun usage firewall-traversal flowdataRelated Commands
voice-class stun-usage
To enable firewall traversal for VoIP communications, use the voice-class stun-usage command in dial-peer voice configuration mode. To disable firewall traversal, use the no form of this command.
voice-class stun-usage tag
no voice-class stun-usage
Syntax Description
Command Default
Firewall traversal is not enabled.
Command Modes
Dial-peer voice configuration (config-dial-peer)
Command History
Usage Guidelines
When the voice-class stun-usage command is removed, the same is removed automatically from dial-peer configurations.
Examples
The following example shows how to set the voice-class stun-usage tag to 10.Router(config)# dial-peer voice 1 voipRouter(config-dial-peer)# voice-class stun-usage 10Related Commands
Command Descriptionvoice class stun-usage
Configures a new voice class called stun-usage with a numerical tag.