ASA Phone Proxy

Unanswered Question
Aug 23rd, 2010
User Badges:

I have the Phone Proxy up and running correctly but i'm a little concerned about having a Static NAT for my CUCM server to a public IP using TFTP. Are there any security concerns to be aware of when opening your CUCM server to the public using TFTP?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jia Liu Mon, 08/23/2010 - 12:04
User Badges:
  • Cisco Employee,

Currently, Phone Proxy feature on ASA does not support configuration file encryption for TFTP transfers between the CUCM and the phone through the firewall.  This causes the configuration to appear in cleartext on the INternet and may expose certain private parameters.  Please see more details in the enhancement request CSCsw97570:


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw97570

cowetacoit Mon, 08/23/2010 - 12:49
User Badges:

I think i'm more concerned about my CUCM server being compromised since it is open to the public on port 69 due to the static NAT. Would it be possible for anyone to compromise my CUCM server?

Scott Nishimura Tue, 08/24/2010 - 16:27
User Badges:
  • Cisco Employee,

hello.


yes, its possible that the tftp server could get hacked as its available to the external side.   The asa will just allow tftp 69 traffic through to the cucm for downloading of the config, etc.  There is not really anything that you can do from the asa side other than to restrict via acl, however, it might be impossible to know where your phone proxy clients are located.


The cisco vpn ip phones will not have this problem since its making a vpn connection to your network instead of running through phone proxy.


hope this helps a bit.


-scott

fasteddye Tue, 01/11/2011 - 12:50
User Badges:

I am in the process of getting phone proxy setup on our ASA.  Having a static NAT entry from the public to our CCUM/TFTP concerns me too.  Is our only defense to have an acl to only restrict udp 69 traffic through this connection?  How vunerable does this make our CCUCM server?

Scott Nishimura Tue, 01/11/2011 - 13:28
User Badges:
  • Cisco Employee,

Hi Fasteddye,


Yes, what you mentioned would be what you would do to limit the amount of exposure to your cucm from the outside.  You do need to allow tftp port 69 available to to the outside.  There is a possibility that they could go through that port 69.   As mentioned in an earlier response, you can use the anyconnect client on the phone for further security instead of the asa phone proxy.


thanks,

scott

fasteddye Tue, 01/11/2011 - 13:40
User Badges:

Hi Scott.


Thanks for the response.


I am unfamiliar with the AnyConnect Client on the phone. We have IP 7975 phones. Our firewall is licensed for 100 UC Proxy Sessions.


How does the AnyConnect Client work on the phone?


Thanks Again!

Scott Nishimura Tue, 01/11/2011 - 13:48
User Badges:
  • Cisco Employee,

Hi Fasteddye,


one other thing i forgot to mention is that when using the anyconnect client on the phone, you are not going to be doing phone proxy.  Effectively, you are making a vpn tunnel from the phone to the ASA and the voice traffic will be through that tunnel and therefore the phone will be considered on the inside.  This method does not use phone proxy at all but allows the phone to be on the inside through the encrypted tunnel.


thanks,

scott

fasteddye Tue, 01/11/2011 - 13:56
User Badges:

Scott.


That is great but it looks like we need CCUM 8.0.1 and IP Phone Firmware 9.x.


We are currently running CCUM 7 and IP Phone SCCP 9.0.3S. I guess we would need licensing too on the ASA for the AnyConnect VPN.


We do have maintenance to cover our CCUM update but I am unsure of a time frame for this update.


Are more moving towards the AnyConnect VPN solution than the phone proxy?


The phone proxy must not be too risky (publicly exposed CCUCM TFTP) since it seems lots are using that solution.


Thanks.

Scott Nishimura Tue, 01/11/2011 - 14:11
User Badges:
  • Cisco Employee,

Hi Fasteddye,


Yes, thats correct, it would require you to be on a newer release as well as different licenses etc..  I'm not sure what the adoption rate is on the anyconnect since its a new feature.  I do know some people are moving to it to get around the open ports on phone proxy and also for directory services which is unencrypted http traffic.


There are alot of people using phone proxy.  Heres a good document if you havent seen it yet which talks about the setup procedure:


https://supportforums.cisco.com/docs/DOC-8165


https://supportforums.cisco.com/docs/DOC-1226


thanks,

scott

Actions

This Discussion