cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2700
Views
0
Helpful
18
Replies

ASA Phone Proxy---Phone service and Directory buttons not work

jjia
Level 2
Level 2

Hi,

Try to configure ASA8.0(4) phone proxy feature with Callmanager 6.1(x) as per the documentation http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1144829

I assigned TFTP server ip address on the remote IP phone with ASA proxy address, and the remote IP Phone can successfully register to CallManager.

But from remote IP Phone, the phone directory and phone service button are not working:"Host not found". I think this is because the ip phone still get the phone service internal ip address of CallManager?

Or I missed something?

Thanks,

JJ

18 Replies 18

Jon Nelson
Level 3
Level 3

You aren't missing anything. There is no support for this in the current version of the ASA proxy. This is what happens when a voice product leaves the UC BU and ends up as a product in the Security BU.

I don't know what is on the roadmap, but I hope this gets back in the product as it is a function that is sorely missed.

I am having the same issue and I just started to look into the proxy-server option in the ASA phone proxy config. Couldn't I just setup an http proxy (preferably on the ASA) and use that to tunnel the phone service request through? I still would have the issue of the phone service traffic being unencrypted but I think it would function.

calmichael
Level 1
Level 1

I have been able to get the directory, service, and information to work; this isn't exactly documented to well yet - but it should get better.

I am using 8.0(4)23 as I had to get away from the walkie-talkie audio issue of the standard 8.0(4) code. I also am not using LSCs yet - only MICs.

xxx.xxx.xxx.xxx is the internal IP of the CUCM Publisher running tftp

yyy.yyy.yyy.yyy is my ASA external IP meant for tftp / 8080

zzz.zzz.zzz.zzz is my ASA external MTP

The configuration that seems to work is:

object-group service tftp udp

port-object eq tftp

object-group network cucm

network-object host yyy.yyy.yyy.yyy

access-list outside_access_in extended permit udp any object-group cucm object-group tftp

static (inside-60,outside-96) tcp yyy.yyy.yyy.yyy 8080 xxx.xxx.xxx.xxx www netmask 255.255.255.255

static (inside-60,outside-96) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.255.255

phone-proxy

proxy-server address xxx.xxx.xxx.xxx interface inside

Try this out and verify that this helped.

Thanks calmichael

Thats a good new to me, getting the directory & service to work! Were the same, only mic is being used. Can you pls. give me a copy of your config, just want to compare it to mine. --redrobish@walla.com

btw, i've PAT the outside traffic going inbound through the ASA on the each specific phone ip address. Is there a way to stick/trust the outside phone using the Mac-address instead of the ip address? Since I don't want to performed PAT on all the outside traffic going inbound through the ASA.

my config ex:

PhoneProxyASA(config)# nat (outside) 55 172.18.254.73 255.255.255.255 outside

PhoneProxyASA(config)# global (inside) 55 interface

where 172.18.254.73 is the ip address of the phone on the outside.

thanks

Heard that the new ASA firmware (8.2.1 -released this May) has fixed this issue. Has anyone tried it out yet?

thnx

Hi calmichael,

I'm trying out your configuration but im getting error on getting both the static config, a conflict since there's already static. Any workaround? thanks

"ERROR: mapped-address conflict with existing static

inside:xxx.xxx.xxx.xxx to outside:yyy.yyy.yyy.yyy netmask 255.255.255.255"

tia

got it-a little trick, i removed the 1st static mapping, enter the 2nd static map, then re-enter the 1st static map. (a bug or something?) Although i got error as previous, it did go to the config and it works. the directory works fine and the extension mobility displays however when the extension mobility was selected, it still doesn't show the login/logoff and got a "http error [404]!". any suggestion?

tia

Basically it's quite simple to fix it when you use DNS names for CM.

You just have to change DNS to internally and externally resolvable.

Then go to Enterprise Parameters Configuration > Phone URL Parameters and change: URL Directories, URL Services

You will need static map on ASA between external IP to internal and this set up working fine.

How about if I'm not using DNS names for my CM? any resolution?

Thanks for the reply though.

tia

You can use DNS names only for those 2 parameters and keep in mind it's only workaround not a real fix.

Rate if this help.

Joshua Warcop
Level 5
Level 5

With the following configuration update as outlined below. The ASA will insert a value for "Proxy Server" on a 7900 series phone. You can check this on the phone pressing Settings | Device Configuration | HTTP Configuration | Proxy server. The ASA will insert the global address for the CUCM server and dynamically update the access-list for a registered phone.

You can correct this issue through ASDM or through CLI.

Open ASDM

Expand Firewall | Advanced | Encrypted Traffic Inspection | Phone Proxy

Click "Configure a http-proxy which would be written into the phone's config file so that phone URLs are directed for services on the phone.

Insert the IP address of your CUCM server, port 8080, interface "Inside" (normally).

CLI:

phone-proxy asdm_phone-proxy

proxy-server address X.X.X.X interface inside      (where X.X.X.X = your CUCM server)

Thanks for the reply jwarcop.

Actually I already got what you are suggesting but still not working. I've attached my config so it maybe understandable.

note: on this same ASA, i got site-site VPN going on.

Tia

Remove this static and clear the r.r.r.r global xlate.

static (inside,outside) tcp r.r.r.r 8080 s.s.s.s www netmask 255.255.255.255

This is built dynamically for you.

Hi jwarcop,

Done as you recommended and I definitely see the proxy server URL (r.r.r.r:8080) at Settings| Device configuration|HTTP Configuration| where the r.r.r.r is the outside address but still getting "HTTP Error(404)" from Services button.

if I adjust the URL parameters/services on the enterprise parameters to use DNS, will it affect all my phones not setup for phone proxy?i.e. need to restart the services,etc?

btw, after I remove my static the directories also have gone away (which is working when the static is in place while only the EM is not).

and I don't want to adjust the URL parameters/services.

Anymore more ideas?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: