Cisco Systems ASA 5585-X Manual De Usuario
11-28
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Configuring Inspection for Voice and Video Protocols
Skinny (SCCP) Inspection
Where the value_length argument is a maximum or minimum value.
f.
To configure the timeout value for signaling and media connections, enter the following command:
ciscoasa(config-pmap-p)# timeout
The following example shows how to define an SCCP inspection policy map.
ciscoasa(config)# policy-map type inspect skinny skinny-map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# enforce-registration
ciscoasa(config-pmap-p)# match message-id range 200 300
ciscoasa(config-pmap-p)# drop log
ciscoasa(config)# class-map inspection_default
ciscoasa(config-cmap)# match default-inspection-traffic
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect skinny skinny-map
ciscoasa(config)# service-policy global_policy global
Verifying and Monitoring SCCP Inspection
The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine issues. The
following is sample output from the show skinny command under the following conditions. There are
two active Skinny sessions set up across the ASA. The first one is established between an internal Cisco
IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000
is the CallManager. The second one is established between another internal Cisco IP Phone at local
address 10.0.0.22 and the same Cisco CallManager.
following is sample output from the show skinny command under the following conditions. There are
two active Skinny sessions set up across the ASA. The first one is established between an internal Cisco
IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33. TCP port 2000
is the CallManager. The second one is established between another internal Cisco IP Phone at local
address 10.0.0.22 and the same Cisco CallManager.
ciscoasa# show skinny
LOCAL FOREIGN STATE
---------------------------------------------------------------
1 10.0.0.11/52238 172.18.1.33/2000 1
MEDIA 10.0.0.11/22948 172.18.1.22/20798
2 10.0.0.22/52232 172.18.1.33/2000 1
MEDIA 10.0.0.22/20798 172.18.1.11/22948
The output indicates that a call has been established between two internal Cisco IP Phones. The RTP
listening ports of the first and second phones are UDP 22948 and 20798 respectively.
listening ports of the first and second phones are UDP 22948 and 20798 respectively.
The following is sample output from the show xlate debug command for these Skinny connections:
ciscoasa# show xlate debug
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
r - portmap, s - static
NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00
NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00