12-33
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter12 Configuring Inspection for Voice and Video Protocols
Skinny (SCCP) Inspection
Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP
inspection without any special configuration. The ASA also supports DHCP options 150 and 66, which
it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients.
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Note The ASA supports inspection of traffic from Cisco IP Phones running SCCP protocol version 19 and
earlier.
Supporting Cisco IP Phones
Note For specific information about setting up the Phone Proxy on the ASA, which is part of the Cisco Unified
Communications architecture and supports IP phone deployment, see Chapter17, “C onfiguring the
Cisco Phone Proxy.”
In topologies where Cisco CallManager is located on the higher security interface with respect to the
Cisco IP Phones, if NAT is required for the Cisco CallManager IP address, the mapping must be static
as a Cisco IP Phone requires the Cisco CallManager IP address to be specified explicitly in its
configuration. An static identity entry allows the Cisco CallManager on the higher security interface to
accept registrations from the Cisco IP Phones.
Cisco IP Phones require access to a TFTP server to download the configuration information they need
to connect to the Cisco CallManager server.
When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use
an ACL to connect to the protected TFTP server on UDP port 69. While you do need a static entry for
the TFTP server, this does not have to be an identity static entry. When using NAT, an identity static entry
maps to the same IP address. When using PAT, it maps to the same IP address and port.
When the Cisco IP Phones are on a higher security interface compared to the TFTP server and
Cisco CallManager, no ACL or static entry is required to allow the Cisco IP Phones to initiate the
connection.
Restrictions and Limitations
The following are limitations that apply to the current version of PAT and NAT support for SCCP:
PAT does not work with configurations containing the alias command.
Outside NAT or PAT is not supported.
If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address
or port, registrations for external Cisco IP Phones fail because the ASA currently does not support NAT
or PAT for the file content transferred over TFTP. Although the ASA supports NAT of TFTP messages
and opens a pinhole for the TFTP file, the ASA cannot translate the Cisco CallManager IP address and
port embedded in the Cisco IP Phone configuration files that are transferred by TFTP during phone
registration.
Note The ASA supports stateful failover of SCCP calls except for calls that are in the middle of call setup.