Some Cisco Voice over IP (VoIP) applications use the Telephony Application Programming Interface (TAPI) and Java TAPI (JTAPI). TAPI-compatible applications can run on a wide variety of PC and telephony hardware and can support a variety of network services. The Cisco TAPI Service Provider (TSP) uses the Computer Telephony Interface Quick Buffer Encoding (CTIQBE) to communicate with Cisco CallManager on TCP port 2748. Figure 8-1 illustrates how CTIQBE works.
Figure 8-1. Explanation of CTIQBE
In Figure 8-1, a PC with Cisco IP SoftPhone communicates with a Cisco CallManager. CTIQBE inspection is not enabled by default. Use the inspect ctiqbe command to enable the Cisco ASA to inspect the TCP port 2748 CTIQBE packets, as shown in Example 8-5.
Example 8-5. Enabling CTIQBE Inspection
Chicago# configure terminal Chicago(config)# policy-map asa_global_fw_policy Chicago(config-pmap)# class inspection_default Chicago(config-pmap-c)# inspect ctiqbe
In Example 8-5, CTIQBE inspection is enabled under the Cisco ASA global policy. Consequently, all traffic traversing the security appliance is inspected for CTIQBE, which successfully translates and transfers CTIQBE traffic to and from Cisco CallManager and IP SoftPhone.
CTIQBE application inspection is not supported if the alias command is present in the configuration.
CTIQBE calls will fail if two Cisco IP SoftPhones are registered with different Cisco CallManagers connected to different interfaces of the Cisco ASA.
If the Cisco CallManager IP address is to be translated and you are also using PAT, TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed. The CTIQBE listening port (TCP 2748) is fixed and is not configurable on Cisco CallManager, Cisco IP SoftPhone, or Cisco TSP.
Stateful failover of CTIQBE calls is not supported.
You can use the show conn state ctiqbe detail command to display the status of CTIQBE connections. The C flag represents the media connections allocated by the CTIQBE inspection engine. Example 8-6 includes the output of the show conn state ctiqbe detail command.
Example 8-6. Output of the show conn state ctiqbe detail Command
Chicago# show conn state ctiqbe detail 5 in use, 11 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SMTP data, m - SIP media, O - outbound data, P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM