Verifying And Monitoring Sccp Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
The security appliance supports stateful failover of SCCP calls except for calls that are in the middle of
Note
call setup.
Verifying and Monitoring SCCP Inspection
The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine issues. The
following is sample output from the show skinny command under the following conditions. There are
two active Skinny sessions set up across the security appliance. The first one is established between an
internal Cisco IP Phone at local address 10.0.0.11 and an external Cisco CallManager at 172.18.1.33.
TCP port 2000 is the CallManager. The second one is established between another internal Cisco IP
Phone at local address 10.0.0.22 and the same Cisco CallManager.
hostname# show skinny
---------------------------------------------------------------
1
MEDIA 10.0.0.11/22948
2
MEDIA 10.0.0.22/20798
The output indicates that a call has been established between two internal Cisco IP Phones. The RTP
listening ports of the first and second phones are UDP 22948 and 20798 respectively.
The following is sample output from the show xlate debug command for these Skinny connections:
hostname# show xlate debug
2 in use, 2 most used
Flags:
NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00
NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection
Control
To specify actions when a message violates a parameter, create an SCCP inspection policy map. You can
then apply the inspection policy map when you enable SCCP inspection according to the
Application Inspection" section on page
To create an SCCP inspection policy map, perform the following steps:
Step 1
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
"Creating a Regular Expression" section on page
commands described in
Step 2
(Optional) Create one or more regular expression class maps to group regular expressions according to
the
Create an SCCP inspection policy map, enter the following command:
Step 3
hostname(config)# policy-map type inspect skinny policy_map_name
hostname(config-pmap)#
OL-10088-01
LOCAL
10.0.0.11/52238
10.0.0.22/52232
D - DNS, d - dump, I - identity, i - inside, n - no random,
r - portmap, s - static
Step
3.
"Creating a Regular Expression Class Map" section on page
FOREIGN
172.18.1.33/2000
172.18.1.22/20798
172.18.1.33/2000
172.18.1.11/22948
25-5.
21-6. See the types of text you can match in the match
Cisco Security Appliance Command Line Configuration Guide
Skinny (SCCP) Inspection
STATE
1
1
"Configuring
21-8.
25-69
Advertisement
Table of Contents
Troubleshooting
