Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7798
Views
0
Helpful
3
Replies

ASA and Skinny inspect

martinbuffleo
Level 1
Level 1

‎08-12-2010 01:29 AM - edited ‎03-11-2019 11:24 AM

Not sure if this is a voice question or a firewall question.

I am trying to configure my ASA 7.2(4) to inspect SCCP traffic from a CUCM v7.

I have been advised that the ASA device needs to support the version of Skinny I am running.

Two Questions:

What version of Skinny does ASA 7.2(4) support?

How can I find out what version my phones are using?

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-12-2010 01:42 AM

Here is the version of skinny that ASA version 7.2 supports:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1667072

Sorry, not sure about the phone itself.

0 Helpful

martinbuffleo
Level 1
Level 1
In response to Jennifer Halim

‎08-12-2010 02:15 AM

Thanks for the reply.

So the ASA running 7.2(4) will support

"There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2. The security appliance supports all versions through Version 3.3.2. "

But when I have looked at v8 of the fireware the ASA supports up to SCCP v19.

Thats a huge jump.

Going to have to downgrade my phones because I think they are running a firmware that use SCCP v18.

Then I bet that phone version wont be supported on CUCM v7

0 Helpful

fara.rhea
Level 1
Level 1
In response to martinbuffleo

‎11-22-2012 11:21 PM

I have found in this forum,

https://supportforums.cisco.com/thread/2036498

so i try to search the official realase documentation from cisco, which version inspect sccp is supported ? I have found this

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i2.html#wp1762128

it say, ASA 8.4 support SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2 but i have found the new CUCM is use sccp version 17 (CMIIW)

This is related to my problem, that i found in my ASA log there a log about teardrop tcp to port 2000 from several IP but not other IP. After i search that IP is VG not ipphone.

This is the log :

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302013: Built inbound TCP connection 7411196 for outside:xxx145.201/38733 (xxx145.201/38733) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302014: Teardown TCP connection 7411196 for outside:xxx145.201/38733 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-106015: Deny TCP (no connection) from xxx145.201/38733 to xxx.xxx.1/2000 flags ACK  on interface outside

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302013: Built inbound TCP connection 7411198 for outside:xxx145.204/28317 (xxx145.204/28317) to inside:xxx.xxx.1/2000 (xxx.xxx.1/2000)

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-302014: Teardown TCP connection 7411198 for outside:xxx145.204/28317 to inside:xxx.xxx.1/2000 duration 0:00:00 bytes 196 FIN Timeout

2012-11-13 20:12:08          Local4.Info          xxx.xxx.93          %ASA-6-106015: Deny TCP (no connection) from xxx145.204/28317 to xxx.xxx.1/2000 flags ACK  on interface outside

I am suspicious this is because skinny inspection issues, because i have permit ACL tcp port 2000 for that IP. This is just for VG, but for ipphone it doesn't have log like this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card