Firewall Traversal Mechanisms
Any firewall, including Cisco ASA or an application layer gateway (ALG), is expected to provide certain mechanisms so that voice and video traffic can traverse through the firewall/ALG to reach the destination. Firewall traversal is provided in multiple ways, including NAT traversal, IPsec tunnels, IP ACLs, or port-based ACLs.
Almost every firewall (including Cisco ASA) provides NAT services to enable manipulating the IP address or port number, or both, for traffic going out or coming into a network. To ensure that voice traffic is unaltered by NAT, either it should be exempted from NAT or appropriate inspection mechanisms should be applied to enable the firewall to look at the contents of the packets. NAT control can be turned off on Cisco ASA, thereby allowing packets to traverse Cisco ASA unaltered. Also, use of RFC 1918 addresses on internal servers is recommended, where possible, such that globally routable (public) network addresses do not pass through the firewall using a NAT mechanism. NAT/ALG firewalls/devices can inspect signaling in normal mode (that is, TCP/UDP-based signaling), but with encrypted signaling leveraging Transport Layer Security (TLS), a NAT/ALG-aware firewall is unable to look into the content of packets.
Site-to-site or remote-access VPN IPsec tunnels can be used to enable NAT exemption. Moreover, if the VPN gateway is placed behind a firewall, the firewall is unable to inspect or modify the contents of the packet within the tunnel. This is an ideal solution when a corporate firewall is required to filter all traffic except voice/video traffic.
Traffic from the Internet, remote sites, telecommuters, and remote workers can be filtered based on IP ACLs. This allows a modest degree of control on the traffic that traverses through the firewall. In such cases, inspections may still be required to handle voice and video signaling and media traffic.
Synonymous to IP-based ACLs, port-based ACLs can be used for filtering traffic from/to an external network to the data center. Port-based ACLs give an administrator or a security engineer a greater degree of control and allow for the least permissive policy. However, port-based ACLs are also the most tedious to configure because every port for a Cisco Collaboration protocol or service needs to be looked at and allowed or denied as per the organization’s policy.
In case of voice and video signaling and media traffic, quite a few protocols and ports must be permitted to ensure that the Collaboration services operate appropriately. As discussed in Chapter 3, “Telephony Standards and Protocols,” the most commonly used voice and video protocols include SCCP, MGCP, H.323, SIP, RTP, and RTCP.
Moreover, there are other protocols that are used for administration and integration of voice services, such as SSH, TAPI/JTAPI, HTTP, HTTPS, TFTP, DNS, and LDAP.
For a complete list of TCP/UDP ports that are required for firewall traversal for CUCM, refer to “Cisco Unified Communications Manager TCP and UDP Port Usage” at www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_1_1/CUCM_BK_T2CA6EDE_00_tcp-port-usage-guide-91/CUCM_BK_T2CA6EDE_00_tcp-port-usage-guide-91_chapter_01.html.
For video communications, Cisco Video Communications Server (VCS) can be deployed as Cisco TelePresence VCS Control for use within an enterprise and as the Cisco VCS Expressway for communication with external entities. VCS Expressway enables business-to-business (B2B) communications and includes the features of the Cisco VCS Control with highly secure firewall traversal capability. VCS Expressway can be implemented either on the inside (secure zone) or in the demilitarized zone (DMZ). VCS Expressway firewall traversal is shown in Figure 5-2.
Figure 5-2 VCS Expressway Firewall Traversal
It’s important to note that SIP and H.323 protocol inspection on the firewall must be disabled. Instead, the firewall should be configured for traversal leveraging requisite ports. For details on the ports that are required for firewall traversal, refer to the deployment guide Cisco VCS IP Port Usage for Firewall Traversal (PDF file) at www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-1.pdf.