ASA Phone-Proxy Security Issue?

Unanswered Question
Jun 16th, 2009

Hi all,

I am just starting to look over the phone proxy configuration for the ASAs. I noticed one of the steps was to open TFTP access to the CM from the Internet. My question is what are the security ramifications to doing this and has anyone here addressed this in their environment?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
parshah Tue, 06/16/2009 - 13:55


Not sure where you read that you have to open the TFTP access to the CM from the internet.

Actually, what you need is to setup NAT on the ASA. So the ASA will translate an external IP to internal. Also, the connection between the ASA and the phone is going to be secure and so there is not much of a security issue there.

Please take a look at this link for more info.


speltier Wed, 06/17/2009 - 05:50

Step 13 in the link you posted. It Says...

Using an access-list, permit inbound TFTP traffic to the tftp-server's global IP address. This is the only specific acl entry that needs to exist to allow the phone-proxy to work. The secured streams which terminate on the firewall will be permitted automatically by the firewall.

Jonathan Schulenberg Wed, 06/17/2009 - 07:36

I would be sure to put the cluster in Mixed Mode and use TFTP encryption to protect the downloads. I would also make sure to throttle the connections allowed on the ASA to prevent a DoS against the TFTP server.

If you are a partner the AZTEC team has been working on a lab for this due out sometime in July. I would speak with your channels team so you can get some practice.

speltier Wed, 06/17/2009 - 09:38

Do you know what vulnerabilities it presents to the server itself? For instance, ability to upload malicious code to the server or is the server setup for download only?


This Discussion