ASA Phone Proxy---Phone service and Directory buttons not work

Unanswered Question

Hi,

Try to configure ASA8.0(4) phone proxy feature with Callmanager 6.1(x) as per the documentation http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1144829

I assigned TFTP server ip address on the remote IP phone with ASA proxy address, and the remote IP Phone can successfully register to CallManager.

But from remote IP Phone, the phone directory and phone service button are not working:"Host not found". I think this is because the ip phone still get the phone service internal ip address of CallManager?

Or I missed something?

Thanks,

JJ

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Nelson Thu, 02/26/2009 - 06:58

You aren't missing anything. There is no support for this in the current version of the ASA proxy. This is what happens when a voice product leaves the UC BU and ends up as a product in the Security BU.

I don't know what is on the roadmap, but I hope this gets back in the product as it is a function that is sorely missed.

rfallara Thu, 02/26/2009 - 07:27

I am having the same issue and I just started to look into the proxy-server option in the ASA phone proxy config. Couldn't I just setup an http proxy (preferably on the ASA) and use that to tunnel the phone service request through? I still would have the issue of the phone service traffic being unencrypted but I think it would function.

calmichael Fri, 03/06/2009 - 15:07

I have been able to get the directory, service, and information to work; this isn't exactly documented to well yet - but it should get better.

I am using 8.0(4)23 as I had to get away from the walkie-talkie audio issue of the standard 8.0(4) code. I also am not using LSCs yet - only MICs.

xxx.xxx.xxx.xxx is the internal IP of the CUCM Publisher running tftp

yyy.yyy.yyy.yyy is my ASA external IP meant for tftp / 8080

zzz.zzz.zzz.zzz is my ASA external MTP

The configuration that seems to work is:

object-group service tftp udp

port-object eq tftp

object-group network cucm

network-object host yyy.yyy.yyy.yyy

access-list outside_access_in extended permit udp any object-group cucm object-group tftp

static (inside-60,outside-96) tcp yyy.yyy.yyy.yyy 8080 xxx.xxx.xxx.xxx www netmask 255.255.255.255

static (inside-60,outside-96) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.255.255

phone-proxy

proxy-server address xxx.xxx.xxx.xxx interface inside

Try this out and verify that this helped.

redrobish Sun, 03/08/2009 - 18:57

Thanks calmichael

Thats a good new to me, getting the directory & service to work! Were the same, only mic is being used. Can you pls. give me a copy of your config, just want to compare it to mine. [email protected]

btw, i've PAT the outside traffic going inbound through the ASA on the each specific phone ip address. Is there a way to stick/trust the outside phone using the Mac-address instead of the ip address? Since I don't want to performed PAT on all the outside traffic going inbound through the ASA.

my config ex:

PhoneProxyASA(config)# nat (outside) 55 172.18.254.73 255.255.255.255 outside

PhoneProxyASA(config)# global (inside) 55 interface

where 172.18.254.73 is the ip address of the phone on the outside.

thanks

redrobish Wed, 05/20/2009 - 18:36

Heard that the new ASA firmware (8.2.1 -released this May) has fixed this issue. Has anyone tried it out yet?

thnx

redrobish Mon, 06/08/2009 - 16:56

Hi calmichael,

I'm trying out your configuration but im getting error on getting both the static config, a conflict since there's already static. Any workaround? thanks

"ERROR: mapped-address conflict with existing static

inside:xxx.xxx.xxx.xxx to outside:yyy.yyy.yyy.yyy netmask 255.255.255.255"

tia

redrobish Mon, 06/08/2009 - 17:29

got it-a little trick, i removed the 1st static mapping, enter the 2nd static map, then re-enter the 1st static map. (a bug or something?) Although i got error as previous, it did go to the config and it works. the directory works fine and the extension mobility displays however when the extension mobility was selected, it still doesn't show the login/logoff and got a "http error [404]!". any suggestion?

tia

KonradStepniewski Wed, 05/20/2009 - 23:37

Basically it's quite simple to fix it when you use DNS names for CM.

You just have to change DNS to internally and externally resolvable.

Then go to Enterprise Parameters Configuration > Phone URL Parameters and change: URL Directories, URL Services

You will need static map on ASA between external IP to internal and this set up working fine.

redrobish Wed, 05/20/2009 - 23:50

How about if I'm not using DNS names for my CM? any resolution?

Thanks for the reply though.

tia

KonradStepniewski Thu, 05/21/2009 - 00:11

You can use DNS names only for those 2 parameters and keep in mind it's only workaround not a real fix.

Rate if this help.

Joshua Warcop Fri, 02/05/2010 - 17:59

With the following configuration update as outlined below. The ASA will insert a value for "Proxy Server" on a 7900 series phone. You can check this on the phone pressing Settings | Device Configuration | HTTP Configuration | Proxy server. The ASA will insert the global address for the CUCM server and dynamically update the access-list for a registered phone.

You can correct this issue through ASDM or through CLI.

Open ASDM

Expand Firewall | Advanced | Encrypted Traffic Inspection | Phone Proxy

Click "Configure a http-proxy which would be written into the phone's config file so that phone URLs are directed for services on the phone.

Insert the IP address of your CUCM server, port 8080, interface "Inside" (normally).

CLI:

phone-proxy asdm_phone-proxy

proxy-server address X.X.X.X interface inside      (where X.X.X.X = your CUCM server)

redrobish Tue, 02/09/2010 - 18:48

Thanks for the reply jwarcop.

Actually I already got what you are suggesting but still not working. I've attached my config so it maybe understandable.

note: on this same ASA, i got site-site VPN going on.

Tia

Attachment: 
Joshua Warcop Tue, 02/09/2010 - 19:45

Remove this static and clear the r.r.r.r global xlate.

static (inside,outside) tcp r.r.r.r 8080 s.s.s.s www netmask 255.255.255.255

This is built dynamically for you.

redrobish Sun, 02/14/2010 - 17:09

Hi jwarcop,

Done as you recommended and I definitely see the proxy server URL (r.r.r.r:8080) at Settings| Device configuration|HTTP Configuration| where the r.r.r.r is the outside address but still getting "HTTP Error(404)" from Services button.

if I adjust the URL parameters/services on the enterprise parameters to use DNS, will it affect all my phones not setup for phone proxy?i.e. need to restart the services,etc?

btw, after I remove my static the directories also have gone away (which is working when the static is in place while only the EM is not).

and I don't want to adjust the URL parameters/services.

Anymore more ideas?

Thanks

rfallara Sun, 02/14/2010 - 17:45

Are you pointing directly at a cucm for the proxy server address? It should work if all the services are on that cucm but if you are trying to hit web services on other internal boxes the call manager wont proxy those requests, you need to point to a real web proxy server. I ended up setting up a squid proxy box and point all external phones to that and it was able to get there requests to the right box on the inside.

redrobish Sun, 02/14/2010 - 18:00

yep, I'm pointing to a CUCM address and i can see the URL from the external phone are all correct (same as the internal phones)

i.e. Directories URL:http://s.s.s.s/CCMCIP/xmldirectory.asp where the s.s.s.s = internal CUCM address

Just wondering, the ASA should be able to proxy this right? or should I add anything on the ASA?

Thanks

Jon Nelson Sun, 02/14/2010 - 18:52

Here is a sample of my working configuration for the Phone Proxy portion:

phone-proxy CUCM-PHONE-PROXY

media-termination mediaterm1

tftp-server address 10.1.1.1 interface inside

tftp-server address 10.2.1.1 interface outside

tls-proxy CUCM-TLS

cipc security-mode authenticated

ctl-file CUCM-CTL

proxy-server address 10.1.1.1 interface inside

I'm running 8.2.2 on the ASA in my lab and CUCM 7.1.3su1b.

I've changed the IP's, but it does work. The one drawback to this configuration is that all the information sent is sent in clear text, so if someone is sniffing traffic they could get logins, passwords, IP's, etc. This might be remedied in CUCM8 with secure services.

HTH

-Jon

redrobish Sun, 02/14/2010 - 19:43

Hi Jon,

I've added the "tftp-server address x.x.x.x interface outside" on mine but still not working.

y.y.y.y = subscriber

z.z.z.z = publisher

x.x.x.x = external ip static to z.z.z.z (pubs)

here's mine:

phone-proxy CUCM-PHONE-PROXY

media-termination mediaterm1

tftp-server address z.z.z.z interface inside

tftp-server address x.x.x.x interface outside --just added

tls-proxy CUCM-TLS

cipc security-mode authenticated

ctl-file CUCM-CTL

proxy-server address z.z.z.z interface inside

Just noticed on the status of the phone the error:TFTP not authorized: y.y.y.y but the phone proxy is working (can make calls,etc.). Since I only declare one CUCM address on the ASA to utilize the 2 free license. Would this be an issue related to the EM?

btw, mine is 8.2.1, i'll upgrade to 8.2.2 then see if that improves.

Thanks

Actions

This Discussion