This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Sample Configuration for Cisco Adaptive Security Appliance 5520 to interoperate with Avaya SIP IP Telephones using Network Address Translation – Issue 1.0
Abstract These Application Notes describe the steps for configuring the Cisco Adaptive Security Appliance (ASA) 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones using Network Address Translation (NAT). SIP Application Inspection functionality enabled on the ASA 5520 manages the dynamically opening and closing of the UDP ports needed by media traffic.
1. Introduction These Application Notes describe a sample configuration for configuring the Cisco ASA 5520 to support Avaya 4600 and 9600 Series SIP IP Telephones registering with Avaya SIP Enablement Server (SES). The ASA 5520 serves as a consolidated platform for VPN gateway and firewall. These Application Notes focus on the SIP support of the firewall functionality.
2. Overview The Cisco ASA 5520 is a firewall device capable of supporting a comprehensive set of security features such as firewalling, SSL/IPsec VPN termination, and intrusion prevention. The ASA 520 shown in Figure 1 is configured as a firewall to interoperate with Avaya SIP Enablement Server (SES) and Avaya SIP IP Telephones. The SIP Application Inspection feature of the ASA 5520 will dynamically open and close the necessary UDP ports needed for media traffic. In addition, Network Address Translation is deployed to hide the actual internal IP address from the untrusted network. Both Static and Dynamic NAT method are employed in the sample network. Avaya SES and download server are Statically NATed while media traffic to and from Avaya IP Telephones are dynamically NATed to a pool of IP addresses belonging to the Untrusted IP network.
3. Configuration Figure 1 illustrates the configuration used in these Application Notes. All Avaya IP Telephones are registered with Avaya Communication Manager connected to the 172.28.10.0/24 IP network. All Avaya IP Telephones are assigned to the same IP network region within Avaya Communication Manager. All Avaya IP Telephones obtains their IP address from the DHCP server. All Avaya 9600 Series IP Telephones located in the Untrusted IP network are configured for non-Avaya environment and to use UDP as their transport protocol for signaling.
4. Equipment and Software Validated The following equipment and software/firmware were used for the sample configuration:
DEVICE DESCRIPTION VERSION TESTED
Avaya S8500 Server with G650 Media Gateway R015x.00.0.825.4 Avaya SIP Enablement Server SES-5.0.0.0-825.31 Avaya 4621SW IP Telephone (SIP) 2.2.2 Avaya 4610SW IP Telephone (SIP) 2.2.2 Avaya 9630 IP Telephone (SIP) 2.2 Avaya 9640G IP Telephone (SIP) 2.2 Cisco Adaptive Security Appliance (ASA) 5520 7.2(4)
5. Configure Cisco ASA 5520 This section describes the configuration for Cisco ASA 5520 as shown in Figure 1 using the Command Line Interface (CLI). It is assumed that the basic configuration needed to connect into the Cisco ASA 5520 has been completed. Annotation is shown between the blue “#” signs. Appendix A shows screen captures from Cisco Adaptive Security Device Manager (ASDM) for reference and illustration.
1. Log into the Cisco ASA 5520 and enter enable mode using appropriate credential. 2. Enter into configuration mode by typing “configure terminal”. 3. Below is the configuration for the ASA 5520.
# # -------------------------------------------------------- # # -------------- CONFIGURE INTERFACES -------------------- # # -------------------------------------------------------- # # interface GigabitEthernet0/0 nameif Untrust security-level 0 ip address 172.29.99.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif 172.29.5.X security-level 90 ip address 172.29.5.41 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown
no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 172.16.254.115 255.255.255.0 management-only ! # # -------------------------------------------------------- # # ----------- CONFIGURE USER FRIENDLY NAME --------------- # # ------------- TO FACILITATE REFERENCING ---------------- # # -------------------------------------------------------- # # ----- 172.29.99.0 is the Untrust side IP network ------- # # ----- 172.29.99.10 is the NAT address for Avaay SES ---- # # -- 172.29.99.12 is the NAT address for download server - # # -------------------------------------------------------- # # names name 172.28.10.12 download-Srvr name 172.28.10.10 Avaya-SES name 172.29.99.0 Voice-network name 172.29.99.12 Outside-Dn-Srvr name 172.29.99.10 Outside-Avaya-SES dns-guard ! # # -------------------------------------------------------- # # ------------- CONFIGURE ACCESS LIST -------------------- # # -------------------------------------------------------- # # ---------- The following 3 rules are used -------------- # # --- 1st rule allows download of firmware and --- # # --------- configuration from download server ----------- # # --- 2nd rule allows Avaya IP Telephone -------------- # # ------- to register with Avaya Communication Manager --- # # --- 3rd rule allows SIP signaling to/from CLANs ---- #m # -------------------------------------------------------- # # ---- RTP port for Avaya IP Telephone traffic will ------ # # --- be dynamically opened and closed by the ASA 5520 --- # # ----------- therefore no access list is needed --------- # # -------------------------------------------------------- # # access-list Untrust_access_in extended permit tcp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq 411 log access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Dn-Srvr eq tftp access-list Untrust_access_in extended permit udp Voice-network 255.255.255.0 host Outside-Avaya-SES eq sip log access-list Untrust_access_in extended deny ip any any log access-list Untrust_access_in extended permit icmp any any log inactive # # -------------------------------------------------------- #
6. Configuring DHCP Server This section shows the configuration on the DHCP server.
1. In addition to configuring the address pool, three Scope Options are configured for use by Avaya IP Telephones. The Scope Options information is as follows.
7. Configuring Avaya 9600 Series IP Telephone This section describes the basic configuration for Avaya 9600 Series IP Telephones in this solution. For additional information on how to configure Avaya 9600 Series IP Telephone, please consult reference [4].
1. Access the Avaya 9600 Series IP Telephone menu option by entering the password using the dialpad on the phone.
2. Select the SIP option and configure the following fields.
a. Avaya Environment: No b. Transport Type: UDP
3. The following is the 46xxsettings.txt file used in the sample network. Notice the
SIPPROXYSRVR, SIPREGISTRAR, MWISRVR, and FILESERVER all point to their respective NATed IP address.
SET SIPDOMAIN "interop.com" SET SIPPROXYSRVR "172.29.99.10" SET SIPREGISTRAR "172.29.99.10" SET MWISRVR "172.29.99.10 SET FILESERVER "172.29.99.12" SET DSTOFFSET "1" SET DSTSTART "1SunApr2L" SET DSTSTOP "LSunOct2L" SET GMTOFFSET "-5:00" SET DATESEPARATOR "-" SET DATETIMEFORMAT "1" SET CALLFWDSTAT "0" SET COVERAGEADDR "" SET DIALPLAN "11xxx" SET SIPPORT "5060"
9. Conclusion These Application Notes described the administrative steps required to configure the Cisco ASA 5520 to support an Avaya VoIP solution consisting of Avaya SIP Enablement Server and Avaya 4600 and 9600 Series SIP IP Telephones in a NAT environment. The ASA 5520 correctly performed network address translation for Avaya SES and media traffic IP addresses in the sample network.
10. Additional References Product documentation for Avaya products may be found at http://support.avaya.com [1] Administrator Guide for Avaya Communication Manager, Doc # 03-300509, Issue
4.0, Release 5.0, January 2008 [2] Avaya Communication Manager Advanced Administration Quick Reference, Doc #
03-300364, Issue 4, Release 5.0, January 2008 [3] Administration for Network Connectivity for Avaya Communication Manager, Doc #
555-233-504, Issue 13, January 2008 [4] Avaya One-X Deskphone Edition for 9600 Series SIP IP Telephones Installation and
Maintenance, Doc # 16-603159, Issue 1, September 2008 Product documentation for Cisco Systems products may be found at http://www.cisco.com [5] Cisco Security Appliance Command Line Configuration Guide, Software Version
11. Appendix A – ASDM screen captures This section contains screen captures from Cisco Adaptive Security Device Manager (ASDM). These screen captures serves as illustration to the accompanying configuration shown in Section 5.
1. ASA 5520 interface configuration.
2. IP Names and Network Object Groups used in the configuration.