Enabling And Configuring Ctiqbe Inspection - Cisco 7604 Configuration Manual

Chapter 22 Applying Application Layer Protocol Inspection
•
•
The following summarizes special considerations when using CTIQBE application inspection in specific
scenarios:
•
•
•

Enabling and Configuring CTIQBE Inspection

To enable CTIQBE inspection or change the default port used for receiving CTIQBE traffic, perform the
following steps:
Step 1 Create a class map or modify an existing class map to identify CTIQBE traffic. Use the class-map
command to do so, as follows.
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Use the match port command to identify CTIQBE traffic, as follows:
Step 2
hostname(config-cmap)# match port tcp eq 2748
Create a policy map or modify an existing policy map that you want to use to apply the CTIQBE
Step 3
inspection engine to FTP traffic. To do so, use the policy-map command, as follows.
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Specify the class map, created in
Step 4
do so, as follows.
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
where class_map_name is the name of the class map you created in
map class configuration mode and the prompt changes accordingly.
Step 5 Enable CTIQBE application inspection.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Stateful Failover of CTIQBE calls is not supported.
Entering the debug ctiqbe command may delay message transmission, which may have a
performance impact in a real-time environment. When you enable this debugging or logging and
Cisco IP SoftPhone seems unable to complete call setup through the FWSM, increase the timeout
values in the Cisco TSP settings on the system running Cisco IP SoftPhone.
If two Cisco IP SoftPhones are registered with different Cisco CallManagers, which are connected
to different interfaces of the FWSM, calls between these two phones fails.
When Cisco CallManager is located on the higher security interface compared to
Cisco IP SoftPhones, if NAT or outside NAT is required for the Cisco CallManager IP address, the
mapping must be static as Cisco IP SoftPhone requires the Cisco CallManager IP address to be
specified explicitly in its Cisco TSP configuration on the PC.
When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP
port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP
SoftPhone registrations to succeed. The CTIQBE listening port (TCP 2748) is fixed and is not
user-configurable on Cisco CallManager, Cisco IP SoftPhone, or Cisco TSP.
Step 1, that identifies the CTIQBE traffic. Use the class command to
CTIQBE Inspection
Step 1. The CLI enters the policy
22-11