ASA and Skinny inspect

Unanswered Question
Aug 12th, 2010
User Badges:

Not sure if this is a voice question or a firewall question.


I am trying to configure my ASA 7.2(4) to inspect SCCP traffic from a CUCM v7.


I have been advised that the ASA device needs to support the version of Skinny I am running.


Two Questions:


What version of Skinny does ASA 7.2(4) support?


How can I find out what version my phones are using?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
martinbuffleo Thu, 08/12/2010 - 02:15
User Badges:

Thanks for the reply.


So the ASA running 7.2(4) will support

"There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2. The security appliance supports all versions through Version 3.3.2. "


But when I have looked at v8 of the fireware the ASA supports up to SCCP v19.


Thats a huge jump.


Going to have to downgrade my phones because I think they are running a firmware that use SCCP v18.


Then I bet that phone version wont be supported on CUCM v7

fara.rhea Thu, 11/22/2012 - 23:21
User Badges:

I have found in this forum,


https://supportforums.cisco.com/thread/2036498


so i try to search the official realase documentation from cisco, which version inspect sccp is supported ? I have found this


http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i2.html#wp1762128


it say, ASA 8.4 support SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2 but i have found the new CUCM is use sccp version 17 (CMIIW)



This is related to my problem, that i found in my ASA log there a log about teardrop tcp to port 2000 from several IP but not other IP. After i search that IP is VG not ipphone.


This is the log :


2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302013: Built inbound TCP connection 7411196 for outside:xxx145.201/38733 (xxx145.201/38733) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302014: Teardown TCP connection 7411196 for outside:xxx145.201/38733 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-106015: Deny TCP (no connection) from xxx145.201/38733 to xxx.xxx.1/2000 flags ACK  on interface outside

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302013: Built inbound TCP connection 7411198 for outside:xxx145.204/28317 (xxx145.204/28317) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302014: Teardown TCP connection 7411198 for outside:xxx145.204/28317 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-106015: Deny TCP (no connection) from xxx145.204/28317 to xxx.xxx.1/2000 flags ACK  on interface outside


I am suspicious this is because skinny inspection issues, because i have permit ACL tcp port 2000 for that IP. This is just for VG, but for ipphone it doesn't have log like this.

Actions

This Discussion

Related Content