The Media Gateway Control Protocol (MGCP) is the IETF standard for multimedia conferencing over IP. It offers a mechanism for controlling media gateways by providing conversion between the audio signals carried on telephone circuits and data packets carried over IP networks.
MGCP messages are ASCII based and are transmitted over UDP. This protocol is defined in RFC 3661. There are eight types of MGCP commands:
Each command requires a mandatory reply. The first four commands are sent by the call agent to the gateway. The Notify command is sent by the gateway to the call agent. In some cases the gateway may also send a DeleteConnection command to tear down a connection to the call agent. The RestartInProgress command is used in the registration process of the MGCP gateway. The AuditEndpoint and the AuditConnection commands are sent by the call agent to the gateway.
The Cisco ASA performs the following tasks for MGCP inspection:
A call agent is a device that provides call-processing functions, feature logic, and gateway control in an IP telephony system. An MGCP gateway handles the translation between audio signals and the IP packet network. In the MGCP configurations that Cisco IOS supports, the gateway can be a Cisco router, access server, or cable modem, and the call agent can be a server from Cisco (Cisco PGW or Cisco BTS Softswitches) or from a third-party vendor.
Figure 8-11 demonstrates how the Cisco ASA inspects messages exchanged between two media gateways residing in two different networks.
Figure 8-11. MGCP Inspection
To enable MGCP inspection, use the inspect mgcp command. Create an MGCP map using the mgcp-map command to enable enhanced MGCP inspection. Example 8-13 demonstrates how to create an MGCP map for enhanced MGCP inspection.
Example 8-13. Enhanced MGCP Inspection
mgcp-map mymgcpmap call-agent 10.10.10.133 876 command-queue 500 gateway 192.168.11.23 876 policy-map asa_global_fw_policy class inspection_default inspect mgcp mymgcpmap
In Example 8-13, an MGCP map named mymgcpmap is configured. The call-agent command specifies a group of call agents that can manage one or more gateways. A call agent with IP address 10.10.10.133 and the group ID 876 is configured.
The group ID option can be any number between 0 and 2,147,483,647. Call agents with the same group ID belong to the same group. They may belong to more than one specific group.
The Cisco ASA can limit the maximum number of MGCP commands that will be queued waiting for a response to 500. The range of allowed values for the command-queue limit option is 1 to 2,147,483,647.
A gateway with IP address 192.168.11.23 in group 876 is also configured. This is used to specify which call agents are managing a particular gateway.
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM