02-25-2009 08:38 PM - edited 03-15-2019 04:28 PM
Hi,
Try to configure ASA8.0(4) phone proxy feature with Callmanager 6.1(x) as per the documentation http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1144829
I assigned TFTP server ip address on the remote IP phone with ASA proxy address, and the remote IP Phone can successfully register to CallManager.
But from remote IP Phone, the phone directory and phone service button are not working:"Host not found". I think this is because the ip phone still get the phone service internal ip address of CallManager?
Or I missed something?
Thanks,
JJ
02-26-2009 06:58 AM
You aren't missing anything. There is no support for this in the current version of the ASA proxy. This is what happens when a voice product leaves the UC BU and ends up as a product in the Security BU.
I don't know what is on the roadmap, but I hope this gets back in the product as it is a function that is sorely missed.
02-26-2009 07:27 AM
I am having the same issue and I just started to look into the proxy-server option in the ASA phone proxy config. Couldn't I just setup an http proxy (preferably on the ASA) and use that to tunnel the phone service request through? I still would have the issue of the phone service traffic being unencrypted but I think it would function.
03-06-2009 03:07 PM
I have been able to get the directory, service, and information to work; this isn't exactly documented to well yet - but it should get better.
I am using 8.0(4)23 as I had to get away from the walkie-talkie audio issue of the standard 8.0(4) code. I also am not using LSCs yet - only MICs.
xxx.xxx.xxx.xxx is the internal IP of the CUCM Publisher running tftp
yyy.yyy.yyy.yyy is my ASA external IP meant for tftp / 8080
zzz.zzz.zzz.zzz is my ASA external MTP
The configuration that seems to work is:
object-group service tftp udp
port-object eq tftp
object-group network cucm
network-object host yyy.yyy.yyy.yyy
access-list outside_access_in extended permit udp any object-group cucm object-group tftp
static (inside-60,outside-96) tcp yyy.yyy.yyy.yyy 8080 xxx.xxx.xxx.xxx www netmask 255.255.255.255
static (inside-60,outside-96) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.255.255
phone-proxy
proxy-server address xxx.xxx.xxx.xxx interface inside
Try this out and verify that this helped.
03-08-2009 06:57 PM
Thanks calmichael
Thats a good new to me, getting the directory & service to work! Were the same, only mic is being used. Can you pls. give me a copy of your config, just want to compare it to mine. --redrobish@walla.com
btw, i've PAT the outside traffic going inbound through the ASA on the each specific phone ip address. Is there a way to stick/trust the outside phone using the Mac-address instead of the ip address? Since I don't want to performed PAT on all the outside traffic going inbound through the ASA.
my config ex:
PhoneProxyASA(config)# nat (outside) 55 172.18.254.73 255.255.255.255 outside
PhoneProxyASA(config)# global (inside) 55 interface
where 172.18.254.73 is the ip address of the phone on the outside.
thanks
05-20-2009 06:36 PM
Heard that the new ASA firmware (8.2.1 -released this May) has fixed this issue. Has anyone tried it out yet?
thnx
06-08-2009 04:56 PM
Hi calmichael,
I'm trying out your configuration but im getting error on getting both the static config, a conflict since there's already static. Any workaround? thanks
"ERROR: mapped-address conflict with existing static
inside:xxx.xxx.xxx.xxx to outside:yyy.yyy.yyy.yyy netmask 255.255.255.255"
tia
06-08-2009 05:29 PM
got it-a little trick, i removed the 1st static mapping, enter the 2nd static map, then re-enter the 1st static map. (a bug or something?) Although i got error as previous, it did go to the config and it works. the directory works fine and the extension mobility displays however when the extension mobility was selected, it still doesn't show the login/logoff and got a "http error [404]!". any suggestion?
tia
05-20-2009 11:37 PM
Basically it's quite simple to fix it when you use DNS names for CM.
You just have to change DNS to internally and externally resolvable.
Then go to Enterprise Parameters Configuration > Phone URL Parameters and change: URL Directories, URL Services
You will need static map on ASA between external IP to internal and this set up working fine.
05-20-2009 11:50 PM
How about if I'm not using DNS names for my CM? any resolution?
Thanks for the reply though.
tia
05-21-2009 12:11 AM
You can use DNS names only for those 2 parameters and keep in mind it's only workaround not a real fix.
Rate if this help.
02-05-2010 05:59 PM
With the following configuration update as outlined below. The ASA will insert a value for "Proxy Server" on a 7900 series phone. You can check this on the phone pressing Settings | Device Configuration | HTTP Configuration | Proxy server. The ASA will insert the global address for the CUCM server and dynamically update the access-list for a registered phone.
You can correct this issue through ASDM or through CLI.
Open ASDM
Expand Firewall | Advanced | Encrypted Traffic Inspection | Phone Proxy
Click "Configure a http-proxy which would be written into the phone's config file so that phone URLs are directed for services on the phone.
Insert the IP address of your CUCM server, port 8080, interface "Inside" (normally).
CLI:
phone-proxy asdm_phone-proxy
proxy-server address X.X.X.X interface inside (where X.X.X.X = your CUCM server)
02-09-2010 06:48 PM
02-09-2010 07:45 PM
Remove this static and clear the r.r.r.r global xlate.
static (inside,outside) tcp r.r.r.r 8080 s.s.s.s www netmask 255.255.255.255
This is built dynamically for you.
02-14-2010 05:09 PM
Hi jwarcop,
Done as you recommended and I definitely see the proxy server URL (r.r.r.r:8080) at Settings| Device configuration|HTTP Configuration| where the r.r.r.r is the outside address but still getting "HTTP Error(404)" from Services button.
if I adjust the URL parameters/services on the enterprise parameters to use DNS, will it affect all my phones not setup for phone proxy?i.e. need to restart the services,etc?
btw, after I remove my static the directories also have gone away (which is working when the static is in place while only the EM is not).
and I don't want to adjust the URL parameters/services.
Anymore more ideas?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide