SCCP (Skinny Client Control Protocol) is the protocol used by Cisco callmanager software for VOIP telephony. The VOIP connection is made up out of two separate connections: the control connection handling signaling and RTP data streams for the audio/video transmissions. In order to open the necessary dynamic ports for the RTP connection you need to use the Skinny firewall plugin. The plugin monitors the signaling connection between the VOIP phone and the Cisco callmanager on TCP port 2000. When a new call is initiated the plugin will interpret the packet containing the connection information and open the ports. Similarly these ports are closed when the plugin detects the corresponding call release packet in the skinny control connection.
Step 1. Create Service Objects for Signalling and Streaming Purpose
For information concerning service objects, see How to Create Service Objects. The skinny plugin has two optional parameters which can be entered in the Plugin field:
natname – is a reference to a Network Address Translation Map in the Connections tab in the firewall rule set (syntax: skinny natname=<natname>) and handles the signalling (protocol: TCP, port: 2000).
srvname – is a reference to a Dyn. Service label that data fills a service object with the data stream of skinny calls (syntax: skinny [srvname=<srvname>]) (protocol: UDP). The service object can be referenced by a firewall rule in order to forward the media streams between the call participants. The default value of srvname is RTP:Skinny.
Step 2. Create Translation Map (optional)
If network address translation is done between caller and callee an address translation map has to be defined, translating the real IP address of the participants to virtual addresses that are routeable for all nodes in the VOIP network. For more information, see How to Create NAT Tables (Translation Maps).
The name of the map must match the option of the natname parameter of the skinny firewall plugin configured above. The Original Address/Net is the physical IP subnet of a node whereas the Translated Address/Net is the virtual address.
In a call setup message the real address of the phone is translated to the virtual address. As soon as the other participant of the call receives the modified call setup message it starts sending its voice stream to the virtual address of the peer. The firewall next to the receiver of the media stream re-translates the virtual IP address back to the real address of the participant.
The firewall rule required for proper address translation handling has to contain a reference to the service object with the RTP Dyn. Service label specified in the skinny plugin (see above). The mapping rule action controls how the address mapping is performed. To use the same address map which is used by the skinny plugin, select the same map in the Redirection and Source Translation section. If no address translation is required then the Pass firewall action is to be used.
Skinny signal protocol firewall rule with Skinny firewall plugin:
RTP firewall rule with network address translation from the voipnat address translation map: