cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
57580
Views
20
Helpful
5
Comments
Jay Johnston
Cisco Employee
Cisco Employee

 

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

 

Cisco.com ASA 8.0 Configuration guide - Phone Proxy feature

 

If you have configured phone proxy and are still experiencing problems will phone registration or call audio issues, please see the following link:

 

ASA Phone Proxy Troubleshooting and Common Problems

 

NOTE: This document is specific to configuring phone-proxy in version 8.0.  If you are using version 8.2, please see this document:

 

https://supportforums.cisco.com/docs/DOC-8165

 

Overview

The Cisco ASA phone proxy feature allows remote Cisco IP phones to establish secured communication channels directly with the ASA. These secure communications terminate directly onto the firewall, and the firewall "proxies" the voice communication between the phone and the Call Manager.

 

This feature allows for secure voice communication for phones deployed in the field without requiring a separate device to encrypt the traffic to the Call Manager.

 

To configure ASA Phone Proxy via ASDM, please reference this page: ASA Phone Proxy sample configuration via ASDM

Terminology

Media Termination Address

The Media Termination Address is an address that the firewall uses to perform the phone proxy function. It is a special address that is used to terminate secure media streams to and from remote phones. This address needs to be a unique, publicly routeable address on the outside of the firewall, and must adhere to the following guidelines:

 

 

  • It must not be the same as any global address for any translation on the firewall
  • It must be a different address than the outside interface address of the firewall (or any other firewall interface)
  • It must reside in the same ip subnet as the outside interface of the firewall
  • No other device on the outside subnet can also be assigned this IP address

 

SRTP

SRTP (Secured Real-time Transport Protocol) refers to RTP (Real-time Transport Protocol) media streams which are encrypted.

Certificate Trust List (CTL) File

The CTL file is a file that the phone downloads when it first connects to the tftp server upon bootup. The CTL file contains information about what devices the phone can trust, along with the certificates for those devices. In the case of phone proxy the firewall is configured to generate and send its own CTL file to the remote phone. The CTL file contains the certificates for the devices in the phone proxy environment, such as the Call Manager(s), tftp-server and CAPF certificates.

MIC and LSC Certificates

For the phone proxy feature to function properly and for the traffic between the phone and the ASA to be encrypted, the phone must have a certificate installed. To determine if a phone has a certificate already installed, press the Settings button, then choose "6 - Security Configuration" then scroll down and look for the sections labelled "MIC" and "LSC". If either of these reads "Installed" a certificate of that type is installed. If it reads "Not Installed" there is no certificate of that type installed.


There are two types of certificates that can be present on Cisco IP Phones:

 

 

 

 

Manufacturer Installed Certificates are included on all 7941/61 and newer model IP Phones. With the MIC installed it is not necessary to obtain the USB eTokens (unless you want to secure CUCM phones that register directly to CUCM, or secure communication between internal phones and ASA). Phones with an MIC have the ability to decrypt the CTL file without going through any extra steps.

 

 

 

 

 

The Locally Significant Certificate must be manually installed on the IP Phone. Installing the LSC requires the use of at least two USB eTokens and the CTL Client. The CTL Client is used to generate the necessary certificates on the CallManager. Once the CTL Provider and CAPF Services are activated on the cluster, the CTL Client can be run to generate the CTL file on the CallManager. Once this process completes it is then possible to set the "Certificate Operation" on the IP Phone to "Install/Upgrade" through the CCMAdmin Interface. This process must be used for all 7940/60 and older model IP Phones. Without the USB eToken and the CTL Client there is no way to install LSCs on IP Phones. The Part number for the USB eToken is: KEY-CCM-ADMIN-K9=
 
Note: Even if LSCs are deployed, the hard phone must first register and authenticate with a MIC since the phone-proxy does NOT allow auto-registration.

 

 

 

 

 

Here are the full instructions to get the LSC to the phone. These instructions assume you have not installed the CTL Client or activated any security services on Communications Manager.

 

 

  • In CUCM Serviceability > Service Activation activate Cisco CTL Provider and Cisco Certificate Authority Proxy Function on the publisher server
  • Obtain two of the previously mentioned security tokens
  • Install the CTL Client on a Windows PC. You can get the plugin from CUCM Administration > Application > Plugins > Cisco CTL Client
  • Reboot the Windows PC
  • Start the CTL Client and point it to the IP of your publisher server
  • Select "Update CTL File"
  • Insert the first token when prompted
  • Select "Add"
  • When finished with the first token select "Add" again and insert the second token when instructed
  • Click "Finish" after the second token has been added
  • Restart the Cisco TFTP and then Cisco CallManager service on all nodes in the cluster
  • At this point on the 7960 phone GUI you should be able to navigate to Settings > (6) Security Configuration > (5) CTL File and see a long hex string
  • From CUCM CCMAdmin navigate to Device > Phone > pick the 7940/60 IP Phone you want to provision an LSC on
  • In the Device config page under Certificate Operation select > Install / Upgrade > By Authentication String > Enter your own auth string. This will need to be punched into the phone itself.
  • Save the phone config in CCMAdmin and select "Reset"
  • When the phone resets go to the physical phone and hit Settings > (6) Security Configuration > (4) LSC > **# (This operation unlocks the GUI and allows us to continue to the next step) > Update (Update will not be visible until you perform the previous step) > Enter the auth string into the phone > Hit Submit
  • You will see "Generating Keys." This will take a few minutes. When it completes the LSC installation has finished, and this phone is ready to be used with the ASA Phone Proxy.

 

CAPF

Stands for Certificate Authority Proxy Function. This is a feature that runs on the Cisco Unified Call Manager Publisher that can deploy LSC certificates to phones. This is required for phones that do not have a MIC certificate to establish secure or authenticated connections. More information on the process of deploying certificates to phones using the CAPF process can be found at the documentation link below

 

Call Manager 7.0 CAPF docs

 

Prerequisites

The following are required before the phone proxy feature will work correctly

 

  • The remote Cisco IP phone must have a certificate installed for the secure connection to be made to the firewall
  • The ASA firewall must be running at least version 8.0(4)
  • The ASA must have the appropriate license installed. To determine the number of secured connections available, use the "show version" command. Each phone to Call Manager connection counts as one secure connection; Therefore, if two Call Managers are present (and in a redundant configuration) since each phone maintains two connections (one to each Call Manager) then a total of two licenses will be used for each phone.

 

 

Note the line that reads "UC Proxy Sessions":


PhoneProxyASA#show version

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(4)
....
UC Proxy Sessions            : 2    

 

Step-by-Step configuration example

For this example, the following diagram depicts the network:

Phone_proxy_lab.jpeg

 

 

  • The outside interface is meant to represent the internet in this example.
  • The media termination address is 14.36.107.91.
  • The TFTP server resides on the call manager, and the call manager is at 172.18.124.230. The firewall is statically translating this inside ip to the outside with a global address of 14.36.107.95.
  • The phones in this case have a LSC certificate installed using the CAPF process. This certificate was previously installed on the phone by the Call Manager prior to introducing it to the phone-proxy
  • The Call Manager is running in non-secure mode. Therefore all communication from the ASA to the call manager will be unencrypted

 

The following configuration is based off of the configuration guide located here

 

1. Set the hostname and domain-name of the firewall. These settings will be used when the RSA keys are generated in step 4.

 

ciscoasa# conf t
ciscoasa(config)# hostname PhoneProxyASA
PhoneProxyASA(config)# domain-name cisco.com
PhoneProxyASA(config)#

2. (Optional) Configure DNS resolution on the ASA if the Call Manager server is configured by hostname, rather than IP address. If the Call Manager is configured by hostname then it will insert its own hostname into the TFTP config file sent to the phone, instead of its IP address; the phone will then attempt to resolve the hostname and connect to the resulting ip. The phone, as well as the ASA, will need to be able to resolve the IP of the Call Manager if this is the case. You can check to see if the Call Manager server is configured by hostname by going to the Call Manager and under "System->Server" and press the "Find" button to display the Call Manager description. It will show an IP address or a Hostname. If your Call Manager is configured by ip address, this step is not necessary, as the phone and the ASA won't need to do any dns resolution.

 

In the following example:

 

  • The DNS server resides on the outside
  • The DNS server ip address is 172.18.108.43
  • In this case the DNS server is added to the default DNS server group

 

PhoneProxyASA(config)# dns domain-lookup outside
PhoneProxyASA(config)# dns server-group DefaultDNS
PhoneProxyASA(config-dns-server-group)#     name-server 172.18.108.43

3. Create a static translation so that the Call Manager's TFTP server is accessible from the outside internet. The phones will be configured with the 14.36.107.95 address as their TFTP server:

 

PhoneProxyASA(config)# static (inside,outside) 14.36.107.95 172.18.124.230 netmask 255.255.255.255 

4. A keypair needs to be generated that will be used for the self-signed certificate on the firewall. If a keypair is already created then this step can be skipped.

 

PhoneProxyASA(config)# crypto key generate rsa label proxy_key modulus 1024
INFO: The name for the keys will be: proxy_key
Keypair generation process begin. Please wait...
PhoneProxyASA(config)#

5. Next, create trustpoints that will be used for secure communication  with the remote phones. This trustpoint will be used by the firewall to  create an entry in the CTL file passed down to the phones. In this case  we'll call this trustpoint phoneproxy_trustpoint. After creating the  trustpoint, we enroll the trustpoint immediately (causing the firewall  to generate the self-signed certificate).

Note: If multiple Call Managers are a part of a cluster on the  inside, you'll need to create a distinct trustpoint for each of the  physical Call Managers. You can use the existing keypair in the new  trustpoint. So if there were two distinct Call Managers and a TFTP  server in the cluster, you would need 3 trustpoints. You could name them  phoneproxy_trustpoint, phoneproxy_trustpoint2, and  phoneproxy_trustpoint3. A distinct trustpoint is necessary for each CTL  file entry in step 8 below. In this example the only Call Manager in the  cluster is also acting as the TFTP server:

 

In this case we'll call  this trustpoint phoneproxy_trustpoint. After creating the trustpoint, we  enroll the trustpoint immediately (causing the firewall to generate the  self-signed certificate).

 

PhoneProxyASA(config)# crypto ca trustpoint phoneproxy_trustpoint 
PhoneProxyASA(config-ca-trustpoint)# enrollment self
PhoneProxyASA(config-ca-trustpoint)# keypair proxy_key
PhoneProxyASA(config-ca-trustpoint)# exit
PhoneProxyASA(config)#
PhoneProxyASA(config)# crypto ca enroll phoneproxy_trustpoint
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: yes

% The fully-qualified domain name in the certificate will be: PhoneProxyASA.cisco.com

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes
PhoneProxyASA(config)#

6. (Optional - Only necessary if the phones have a LSC installed and no MIC) If the phones we are using do not have a MIC certificate (and the only certificate that they have is a LSC) then we'll need to add the CA CAPF certificate from the Call Manager. Again, this step is only necessary if the remote phones have a LSC certificate loaded.

 

To retrieve the CAPF certificate from the Call Manager running version 5.1, do the following (these steps might be different depending on the Call Manager version):

 

 

  • Log into the Call Manager web interface
  • In the upper right of the screen in the "Navigation" selector, choose "Cisco Unified OS Administration" and click "Go"
  • Choose the "Security" drop down, then choose "Certificate Management" then "Download Certificate / CTL"
  • Choose "Download Trust Cert" and then "CAPF". Download this certificate in .pem encoding.

 

Then, create the trustpoint and import the CAPF CA certificate from the Call Manager onto the firewall

PhoneProxyASA(config)# crypto ca trustpoint capf_trustpoint
PhoneProxyASA(config-ca-trustpoint)# enrollment terminal
PhoneProxyASA(config-ca-trustpoint)# exit
PhoneProxyASA(config)# crypto ca authenticate capf_trustpoint
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICdDCCAd2gAwIBAgIIFgGX+wPCb6YwDQYJKoZIhvcNAQEFBQAwVTEKMAgGA1UE
ChMBQTEKMAgGA1UECBMBRDEKMAgGA1UEBxMBQzELMAkGA1UEBhMCVVMxFjAUBgNV
BAMTDUNBUEYtMTViYjNkZjgxCjAIBgNVBAsTAUIwHhcNMDcwOTA0MTEwODM0WhcN
MTIwOTA0MTEwODM0WjBVMQowCAYDVQQKEwFBMQowCAYDVQQIEwFEMQowCAYDVQQH
EwFDMQswCQYDVQQGEwJVUzEWMBQGA1UEAxMNQ0FQRi0xNWJiM2RmODEKMAgGA1UE
CxMBQjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAujDQz2fuaz/lorFoVFPF
KWYLfYzq8CuBvBl18pfHvdFbmtZcWkm3wY/s+9HCxh6FqzjXKpQM8sQQ6TfA80Gf
qNKTqypDJnRhMv/+C7eh4XuV4hFMl82MFaZvcmVTtjkpdrcv5iRZn1OCOg3JEaLS
CAONhglqQgKQqrxOHqxpoZ0CAwEAAaNNMEswCwYDVR0PBAQDAgKEMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDBTAdBgNVHQ4EFgQU9S/3lbgkdbAMDeTnhAXC
xEUAkcswDQYJKoZIhvcNAQEFBQADgYEAhTlglsQnxcwMxMtWM8uZIg6ya8dt3zP4
RBuKqD2PZWH5d/fe9rGvf/TZqSGhGjxa1N6e0kRS29UUy/4u2zr7iGqpZXyezrfc
3+/q8z6YvBx6qH+BSG4KKnC9iQ+2YbMBXn93HlQK+kwJGXEngOkJY45pIaNn6dOA
bp9pXH9Si24=
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     1f53d57a 5d82b8e7 4f7f9ceb 1758e181
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

% Certificate successfully imported
PhoneProxyASA(config)#


7. It is necessary to load the Cisco Manufacturer CA certificates onto the firewall so that phones that use MIC certificates and the firewall can make a secure connection. Therefore, we'll create a trustpoint for each of the CA certificates CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA. These CA certificates can be downloaded from the Call Manager by doing the following (these steps might be different depending on the Call Manager version):

 

 

  • Log into the Call Manager web interface
  • In the upper right of the screen in the "Navigation" selector, choose "Cisco Unified OS Administration" and click "Go"
  • Choose the "Security" drop down, then choose "Certificate Management" then "Download Certificate / CTL"
  • Choose "Download Trust Cert" and then "Call Manager - Trust". Download the certificates (CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA) in .pem encoding.

 

Now, create a trustpoint for each certificate and authenticate them all with the downloaded .pem encoded files:

 

PhoneProxyASA(config)#  crypto ca trustpoint CAP-RTP-001_trustpoint
PhoneProxyASA(config-ca-trustpoint)# enrollment terminal
PhoneProxyASA(config-ca-trustpoint)# exit
PhoneProxyASA(config)# crypto ca authenticate CAP-RTP-001_trustpoint
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIQdhL5YBU9b59OQiAgMrcjVjANBgkqhkiG9w0BAQUFADAu
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMTAe
Fw0wMzAyMDYyMzI3MTNaFw0yMzAyMDYyMzM2MzRaMC4xFjAUBgNVBAoTDUNpc2Nv
IFN5c3RlbXMxFDASBgNVBAMTC0NBUC1SVFAtMDAxMIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEArFW77Rjem4cJ/7yPLVCauDohwZZ/3qf0sJaWlLeAzBlq
Rj2lFlSij0ddkDtfEEo9VKmBOJsvx6xJlWJiuBwUMDhTRbsuJz+npkaGBXPOXJmN
Vd54qlpc/hQDfWlbrIFkCcYhHws7vwnPsLuy1Kw2L2cP0UXxYghSsx8H4vGqdPFQ
NnYy7aKJ43SvDFt4zn37n8jrvlRuz0x3mdbcBEdHbA825Yo7a8sk12tshMJ/YdMm
vny0pmDNZXmeHjqEgVO3UFUn6GVCO+K1y1dUU1qpYJNYtqLkqj7wgccGjsHdHr3a
U+bw1uLgSGsQnxMWeMaWo8+6hMxwlANPweufgZMaywIBA6OBwzCBwDALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6Rexgscfz6ypG270qSac
cK4FoJowbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovL2NhcC1ydHAtMDAxL0NlcnRF
bnJvbGwvQ0FQLVJUUC0wMDEuY3Jshi9maWxlOi8vXFxjYXAtcnRwLTAwMVxDZXJ0
RW5yb2xsXENBUC1SVFAtMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG
9w0BAQUFAAOCAQEAq2T96/YMMtw2Dw4QX+F1+g1XSrUCrNyjx7vtFaRDHyB+kobw
dwkpohfkzfTyYpJELzV1r+kMRoyuZ7oIqqccEroMDnnmeApc+BRGbDJqS1Zzk4OA
c6Ea7fm53nQRlcSPmUVLjDBzKYDNbnEjizptaIC5fgB/S9S6C1q0YpTZFn5tjUjy
WXzeYSXPrcxb0UH7IQJ1ogpONAAUKLoPaZU7tVDSH3hD4+VjmLyysaLUhksGFrrN
phzZrsVVilK17qpqCPllKLGAS4fSbkruq3r/6S/SpXS6/gAoljBKixP7ZW2PxgCU
1aU9cURLPO95NDOFN3jBk3Sips7cVidcogowPQ==
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     233c8e33 8632ea4e 76d79feb ffb061c6
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

% Certificate successfully imported
PhoneProxyASA(config)# crypto ca trustpoint CAP-RTP-002_trustpoint
PhoneProxyASA(config-ca-trustpoint)# enrollment terminal
PhoneProxyASA(config-ca-trustpoint)# exit
PhoneProxyASA(config)# crypto ca authenticate CAP-RTP-002_trustpoint
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIQNT+yS9cPFKNGwfOprHJWdTANBgkqhkiG9w0BAQUFADAu
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMjAe
Fw0wMzEwMTAyMDE4NDlaFw0yMzEwMTAyMDI3MzdaMC4xFjAUBgNVBAoTDUNpc2Nv
IFN5c3RlbXMxFDASBgNVBAMTC0NBUC1SVFAtMDAyMIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEAxCZlBK19w/2NZVVvpjCPrpW1cCY7V1q9lhzI85RZZdnQ
2M4CufgIzNa3zYxGJIAYeFfcRECnMB3f5A+x7xNiEuzE87UPvK+7S80uWCY0Uhtl
AVVf5NQgZ3YDNoNXg5MmONb8lT86F55EZyVac0XGne77TSIbIdejrTgYQXGP2MJx
Qhg+ZQlGFDRzbHfM84Duv2Msez+l+SqmqO80kIckqE9Nr3/XCSj1hXZNNVg8D+mv
Hth2P6KZqAKXAAStGRLSZX3jNbS8tveJ3Gi5+sj9+F6KKK2PD0iDwHcRKkcUHb7g
lI++U/5nswjUDIAph715Ds2rn9ehkMGipGLF8kpuCwIBA6OBwzCBwDALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUpIr4ojuLgmKTn5wLFal
mrTUm5YwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovL2NhcC1ydHAtMDAyL0NlcnRF
bnJvbGwvQ0FQLVJUUC0wMDIuY3Jshi9maWxlOi8vXFxjYXAtcnRwLTAwMlxDZXJ0
RW5yb2xsXENBUC1SVFAtMDAyLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG
9w0BAQUFAAOCAQEAVoOM78TaOtHqj7sVL/5u5VChlyvU168f0piJLNWip2vDRihm
E+DlXdwMS5JaqUtuaSd/m/xzxpcRJm4ZRRwPq6VeaiiQGkjFuZEe5jSKiSAK7eHg
tup4HP/ZfKSwPA40DlsGSYsKNMm3OmVOCQUMH02lPkS/eEQ9sIw6QS7uuHN4y4CJ
NPnRbpFRLw06hnStCZHtGpKEHnY213QOy3h/EWhbnp0MZ+hdr20FujSI6G1+L39l
aRjeD708f2fYoz9wnEpZbtn2Kzse3uhU1Ygq1D1x9yuPq388C18HWdmCj4OVTXux
V6Y47H1yv/GJM8FvdgvKlExbGTFnlHpPiaG9tQ==
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     f7e150ea 5e6e3ac5 615fc696 66415c9f
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

% Certificate successfully imported
PhoneProxyASA(config)# crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
PhoneProxyASA(config-ca-trustpoint)# enrollment terminal
PhoneProxyASA(config-ca-trustpoint)# exit
PhoneProxyASA(config)# crypto ca authenticate Cisco_Manufacturing_CA_trustpoint
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj
byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN
BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR
u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL
lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3
8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq
1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ
D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC
AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F
kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE
AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf
2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1
cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB
BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j
cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH
AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p
bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH
AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ
KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV
I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3
OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08
S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6
YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO
+nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf
-----END CERTIFICATE-----
quit

INFO: Certificate has the following attributes:
Fingerprint:     6ea241f5 ac9a1148 cc8b4b43 c7c13025
Do you accept this certificate? [yes/no]: yes

Trustpoint 'Cisco_Manufacturing_CA_trustpoint' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.

% Certificate successfully imported
PhoneProxyASA(config)#

8. Now that the certificates are on the ASA, we'll need to create the parameters for the CTL file that will be passed down to the phone. In our case, since the tftp server is on the Call Manager (one device serves both roles), we'll create a record-entry of type cucm-tftp (as opposed to just tftp or just cucm). Also note that we use the global (mapped) address for the tftp server here, since this is how the tftp server will look to the phones. The record-entry we add for the CAPF is not required if CAPF certificates are not used:

 

PhoneProxyASA(config)# ctl-file ctl_phoneproxy_file
PhoneProxyASA(config-ctl-file)# record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 14.36.107.95  
PhoneProxyASA(config-ctl-file)# record-entry capf trustpoint capf_trustpoint address 14.36.107.95
PhoneProxyASA(config-ctl-file)#
PhoneProxyASA(config-ctl-file)# no shut
Keypair generation process begin. Please wait...

% The fully-qualified domain name will not be included in the certificate
Keypair generation process begin. Please wait...

% The fully-qualified domain name will not be included in the certificate
Keypair generation process begin. Please wait...

% The fully-qualified domain name will not be included in the certificate
INFO: Total CTL File length 4134
INFO: Writing CTL file disk0:/ctl_phoneproxy_file.tlv to flash...
PhoneProxyASA(config-ctl-file)#

9. Create the tls-proxy instance. Under this section it is required to specify a trustpoint that was automatically generated by the ASA when the CTL file was created. The trustpoint name will be in the format of _internal_PP_ + ctl_file_name. In this case since the ctl file was ctl_phoneproxy_file (see step 8 above) the complete command is server trust-point _internal_PP_ctl_phoneproxy_file.

PhoneProxyASA(config)# tls-proxy ASA-tls-proxy
PhoneProxyASA(config-tlsp)# server trust-point _internal_PP_ctl_phoneproxy_file
PhoneProxyASA(config-tlsp)# exit

10. Create the phone-proxy instance, which outlines the parameters of how the phone-proxy will be configured on the firewall.

The following parameters are configured below:

 

 

  • The media-termination address command ip address should be a unique ip address as defined above
  • The tftp-server address command ip address should be the internal (real) ip address of the tftp server and the interface should be the interface of the firewall behind which the tftp server resides. Before configuring this parameter, ensure that the static translation for the Call Manager (see step 3) has been created
  • The tls-proxy command should refer to the name of the tls-proxy instance that was created earlier in step 9
  • The ctl-file command should refer to the name of the ctl file configured earlier in step 8.
  • The no disable service-settings specifies that we do not wish the firewall to disable certain settings of the phone

 


PhoneProxyASA(config)# phone-proxy ASA-phone-proxy
PhoneProxyASA(config-phone-proxy)# media-termination address 14.36.107.91
PhoneProxyASA(config-phone-proxy)# tftp-server address 172.18.124.230 interface inside
PhoneProxyASA(config-phone-proxy)# tls-proxy ASA-tls-proxy
PhoneProxyASA(config-phone-proxy)# ctl-file ctl_phoneproxy_file
PhoneProxyASA(config-phone-proxy)# no disable service-settings
PhoneProxyASA(config-phone-proxy)# exit
PhoneProxyASA(config)#

11. Define the class-maps that will match the secured traffic. In this case our classes will match the specific TCP ports that the phones will use when making secure sip or skinny connections to the Call Manager. Secure skinny will use TCP port 2443 and secure SIP will use TCP port 5061 by default.

 

PhoneProxyASA(config)# class-map sec_sip
PhoneProxyASA(config-cmap)#  match port tcp eq 5061
PhoneProxyASA(config-cmap)# class-map sec_sccp
PhoneProxyASA(config-cmap)#  match port tcp eq 2443

12. Define the policy-map for the phone-proxy functions and apply it to the outside interface:

 

PhoneProxyASA(config-pmap-c)# policy-map voice_policy
PhoneProxyASA(config-pmap)# class sec_sccp
PhoneProxyASA(config-pmap-c)# inspect skinny phone-proxy ASA-phone-proxy
PhoneProxyASA(config-pmap-c)#  class sec_sip
PhoneProxyASA(config-pmap-c)#  inspect sip phone-proxy ASA-phone-proxy
PhoneProxyASA(config-pmap-c)# service-policy voice_policy interface outside
PhoneProxyASA(config)# exit
PhoneProxyASA# 

13. Using an access-list, permit inbound TFTP traffic to the tftp-server's global IP address. This is the only specific acl entry that needs to exist to allow the phone-proxy to work. The secured streams which terminate on the firewall will be permitted automatically by the firewall.

 

PhoneProxyASA# conf t
PhoneProxyASA(config)# access-list outside_in permit udp any host 14.36.107.95 eq tftp
PhoneProxyASA(config)# access-group outside_in in interface outside
PhoneProxyASA(config)# exit
PhoneProxyASA#


At this point the ASA configuration is done. The next step is to go to the phone and ensure that:

 

 

  • The phone obtains an ip address from the DHCP server on the LAN
  • The phone downloads the correct CTL file from the ASA. If the phone previously had a CTL file loaded it should be deleted.
  • The phone's tftp server settings are correct (the phone should have a TFTP server ip setting pointing to the global address of the tftp server as defined in the static() command. The TFTP server setting should not point to the media termination address, nor the outside interface ip address of the firewall.

 

Final completed configuration

The final, complete config for this example is below:

ASA Version 8.0(4) 
!
terminal width 120
hostname PhoneProxyASA
domain-name cisco.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 14.36.107.90 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.18.124.241 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
access-list outside_in permit udp any host 14.36.107.95
pager lines 24
logging enable
logging list cucm message 446002
logging buffer-size 1000000
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 14.36.107.95 172.18.124.230 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 14.36.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint phoneproxy_trustpoint
enrollment self
keypair proxy_key
crl configure
crypto ca trustpoint capf_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
enrollment self
fqdn none
subject-name cn="_internal_ctl_phoneproxy_file_SAST_0";ou="STG";o="Cisco Inc"
keypair _internal_ctl_phoneproxy_file_SAST_0
crl configure
crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
enrollment self
fqdn none
subject-name cn="_internal_ctl_phoneproxy_file_SAST_1";ou="STG";o="Cisco Inc"
keypair _internal_ctl_phoneproxy_file_SAST_1
crl configure
crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
enrollment self
fqdn none
subject-name cn="_internal_PP_ctl_phoneproxy_file";ou="STG";o="Cisco Inc"
keypair _internal_PP_ctl_phoneproxy_file
crl configure
crypto ca certificate chain phoneproxy_trustpoint
certificate 0565b348
    308201e1 3082014a a0030201 02020405 65b34830 0d06092a 864886f7 0d010104
    05003035 31333031 06092a86 4886f70d 01090216 2450686f 6e655072 6f787941
    53412e64 65666175 6c742e64 6f6d6169 6e2e696e 76616c69 64301e17 0d303830
    38323630 32303535 375a170d 31383038 32343032 30353537 5a303531 33303106
    092a8648 86f70d01 09021624 50686f6e 6550726f 78794153 412e6465 6661756c
    742e646f 6d61696e 2e696e76 616c6964 30819f30 0d06092a 864886f7 0d010101
    05000381 8d003081 89028181 00bc6a84 b3e0e576 8ffd6d31 184dd17d 24b93112
    cce4105a 37f2aa8a 976eef18 41bd709c d2912432 3be491de ffd96af1 2568f475
    e3ceb134 0a50be49 ced116a7 f1beae19 3a0389ba f95c3ae4 482be283 2870478d
    ddf578ca 9af93be0 20efd4a2 0e1c1cab 8976f1ad a5b3fafd b0bb3c4e 134e33dd
    cdc760cd 980c942a e9dd9f2c 7f020301 0001300d 06092a86 4886f70d 01010405
    00038181 00652195 0df0a0ea b31a825d 387f5592 1986495e 717e03a2 a5db954e
    f063aa64 523728f7 9a3d1985 d6d2028e 9eb0ef66 b2e768df d3b6b3fb fa6deff3
    8c5c3433 46839c5c 7683b186 4cf73843 ba1696f4 40fa02fb 365b1c32 1cc37797
    82870312 4da05a72 09ebef37 ace4e820 b8735c6b cb720f7e 15f2ef85 a2db02d6
    dc1e5ec6 78
  quit
crypto ca certificate chain capf_trustpoint
certificate ca 160197fb03c26fa6
    30820274 308201dd a0030201 02020816 0197fb03 c26fa630 0d06092a 864886f7
    0d010105 05003055 310a3008 06035504 0a130141 310a3008 06035504 08130144
    310a3008 06035504 07130143 310b3009 06035504 06130255 53311630 14060355
    0403130d 43415046 2d313562 62336466 38310a30 08060355 040b1301 42301e17
    0d303730 39303431 31303833 345a170d 31323039 30343131 30383334 5a305531
    0a300806 0355040a 13014131 0a300806 03550408 13014431 0a300806 03550407
    13014331 0b300906 03550406 13025553 31163014 06035504 03130d43 4150462d
    31356262 33646638 310a3008 06035504 0b130142 30819f30 0d06092a 864886f7
    0d010101 05000381 8d003081 89028181 00ba30d0 cf67ee6b 3fe5a2b1 685453c5
    29660b7d 8ceaf02b 81bc1975 f297c7bd d15b9ad6 5c5a49b7 c18fecfb d1c2c61e
    85ab38d7 2a940cf2 c410e937 c0f3419f a8d293ab 2a432674 6132fffe 0bb7a1e1
    7b95e211 4c97cd8c 15a66f72 6553b639 2976b72f e624599f 53823a0d c911a2d2
    08038d86 096a4202 90aabc4e 1eac69a1 9d020301 0001a34d 304b300b 0603551d
    0f040403 02028430 1d060355 1d250416 30140608 2b060105 05070301 06082b06
    01050507 0305301d 0603551d 0e041604 14f52ff7 95b82475 b00c0de4 e78405c2
    c4450091 cb300d06 092a8648 86f70d01 01050500 03818100 85396096 c427c5cc
    0cc4cb56 33cb9922 0eb26bc7 6ddf33f8 441b8aa8 3d8f6561 f977f7de f6b1af7f
    f4d9a921 a11a3c5a d4de9ed2 4452dbd5 14cbfe2e db3afb88 6aa9657c 9eceb7dc
    dfefeaf3 3e98bc1c 7aa87f81 486e0a2a 70bd890f b661b301 5e7f771e 540afa4c
    09197127 80e90963 8e6921a3 67e9d380 6e9f695c 7f528b
6e
  quit
crypto ca certificate chain CAP-RTP-001_trustpoint
certificate ca 7612f960153d6f9f4e42202032b72356
    308203a8 30820290 a0030201 02021076 12f96015 3d6f9f4e 42202032 b7235630
    0d06092a 864886f7 0d010105 0500302e 31163014 06035504 0a130d43 6973636f
    20537973 74656d73 31143012 06035504 03130b43 41502d52 54502d30 3031301e
    170d3033 30323036 32333237 31335a17 0d323330 32303632 33333633 345a302e
    31163014 06035504 0a130d43 6973636f 20537973 74656d73 31143012 06035504
    03130b43 41502d52 54502d30 30313082 0120300d 06092a86 4886f70d 01010105
    00038201 0d003082 01080282 010100ac 55bbed18 de9b8709 ffbc8f2d 509ab83a
    21c1967f dea7f4b0 969694b7 80cc196a 463da516 54a28f47 5d903b5f 104a3d54
    a981389b 2fc7ac49 956262b8 1c143038 5345bb2e 273fa7a6 46860573 ce5c998d
    55de78aa 5a5cfe14 037d695b ac816409 c6211f0b 3bbf09cf b0bbb2d4 ac362f67
    0fd145f1 620852b3 1f07e2f1 aa74f150 367632ed a289e374 af0c5b78 ce7dfb9f
    c8ebbe54 6ecf4c77 99d6dc04 47476c0f 36e58a3b 6bcb24d7 6b6c84c2 7f61d326
    be7cb4a6 60cd6579 9e1e3a84 8153b750 5527e865 423be2b5 cb575453 5aa96093
    58b6a2e4 aa3ef081 c7068ec1 dd1ebdda 53e6f0d6 e2e0486b 109f1316 78c696a3
    cfba84cc 7094034f c1eb9f81 931acb02 0103a381 c33081c0 300b0603 551d0f04
    04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604
    14e917b1 82c71fcf aca91b6e f4a9269c 70ae05a0 9a306f06 03551d1f 04683066
    3064a062 a060862d 68747470 3a2f2f63 61702d72 74702d30 30312f43 65727445
    6e726f6c 6c2f4341 502d5254 502d3030 312e6372 6c862f66 696c653a 2f2f5c5c
    6361702d 7274702d 3030315c 43657274 456e726f 6c6c5c43 41502d52 54502d30
    30312e63 726c3010 06092b06 01040182 37150104 03020100 300d0609 2a864886
    f70d0101 05050003 82010100 ab64fdeb f60c32dc 360f0e10 5fe175fa 0d574ab5
    02acdca3 c7bbed15 a4431f20 7e9286f0 770929a2 17e4cdf4 f2629244 2f3575af
    e90c468c ae67ba08 aaa71c12 ba0c0e79 e6780a5c f814466c 326a4b56 73938380
    73a11aed f9b9de74 1195c48f 99454b8c 30732980 cd6e7123 8b3a6d68 80b97e00
    7f4bd4ba 0b5ab462 94d9167e 6d8d48f2 597cde61 25cfadcc 5bd141fb 210275a2
    0a4e3400 1428ba0f 69953bb5 50d21f78 43e3e563 98bcb2b1 a2d4864b 0616bacd
    a61cd9ae c5558a52 b5eeaa6a 08f96528 b1804b87 d26e4aee ab7affe9 2fd2a574
    bafe0028 96304a8b 13fb656d 8fc60094 d5a53d71 444b3cef 79343385 3778c193
    74a2a6ce dc56275c a20a303d
  quit
crypto ca certificate chain CAP-RTP-002_trustpoint
certificate ca 353fb24bd70f14a346c1f3a9ac725675
    308203a8 30820290 a0030201 02021035 3fb24bd7 0f14a346 c1f3a9ac 72567530
    0d06092a 864886f7 0d010105 0500302e 31163014 06035504 0a130d43 6973636f
    20537973 74656d73 31143012 06035504 03130b43 41502d52 54502d30 3032301e
    170d3033 31303130 32303138 34395a17 0d323331 30313032 30323733 375a302e
    31163014 06035504 0a130d43 6973636f 20537973 74656d73 31143012 06035504
    03130b43 41502d52 54502d30 30323082 0120300d 06092a86 4886f70d 01010105
    00038201 0d003082 01080282 010100c4 266504ad 7dc3fd8d 65556fa6 308fae95
    b570263b 575abd96 1cc8f394 5965d9d0 d8ce02b9 f808ccd6 b7cd8c46 24801878
    57dc4440 a7301ddf e40fb1ef 136212ec c4f3b50f bcafbb4b cd2e5826 34521b65
    01555fe4 d4206776 03368357 83932638 d6fc953f 3a179e44 67255a73 45c69dee
    fb4d221b 21d7a3ad 38184171 8fd8c271 42183e65 09461434 736c77cc f380eebf
    632c7b3f a5f92aa6 a8ef3490 8724a84f 4daf7fd7 0928f585 764d3558 3c0fe9af
    1ed8763f a299a802 970004ad 1912d265 7de335b4 bcb6f789 dc68b9fa c8fdf85e
    8a28ad8f 0f4883c0 77112a47 141dbee0 948fbe53 fe67b308 d40c8029 87bd790e
    cdab9fd7 a190c1a2 a462c5f2 4a6e0b02 0103a381 c33081c0 300b0603 551d0f04
    04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604
    1452922b e288ee2e 098a4e7e 702c56a5 9ab4d49b 96306f06 03551d1f 04683066
    3064a062 a060862d 68747470 3a2f2f63 61702d72 74702d30 30322f43 65727445
    6e726f6c 6c2f4341 502d5254 502d3030 322e6372 6c862f66 696c653a 2f2f5c5c
    6361702d 7274702d 3030325c 43657274 456e726f 6c6c5c43 41502d52 54502d30
    30322e63 726c3010 06092b06 01040182 37150104 03020100 300d0609 2a864886
    f70d0101 05050003 82010100 56838cef c4da3ad1 ea8fbb15 2ffe6ee5 50a1972b
    d4d7af1f d298892c d5a2a76b c3462866 13e0e55d dc0c4b92 5aa94b6e 69277f9b
    fc73c697 11266e19 451c0fab a55e6a28 901a48c5 b9911ee6 348a8920 0aede1e0
    b6ea781c ffd97ca4 b03c0e34 0e5b0649 8b0a34c9 b73a654e 09050c1f 4da53e44
    bf78443d b08c3a41 2eeeb873 78cb8089 34f9d16e 91512f0d 3a8674ad 0991ed1a
    92841e76 36d7740e cb787f11 685b9e9d 0c67e85d af6d05ba 3488e86d 7e2f7f65
    6918de0f bd3c7f67 d8a33f70 9c4a596e d9f62b3b 1edee854 d5882ad4 3d71f72b
    8fab7f3c 0b5f0759 d9828f83 954d7bb1 57a638ec 7d72bff1 8933c16f 760bca94
    4c5b1931 67947a4f 89a1bdb5
  quit
crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint
certificate ca 6a6967b3000000000003
    308204d9 308203c1 a0030201 02020a6a 6967b300 00000000 03300d06 092a8648
    86f70d01 01050500 30353116 30140603 55040a13 0d436973 636f2053 79737465
    6d73311b 30190603 55040313 12436973 636f2052 6f6f7420 43412032 30343830
    1e170d30 35303631 30323231 3630315a 170d3239 30353134 32303235 34325a30
    39311630 14060355 040a130d 43697363 6f205379 7374656d 73311f30 1d060355
    04031316 43697363 6f204d61 6e756661 63747572 696e6720 43413082 0120300d
    06092a86 4886f70d 01010105 00038201 0d003082 01080282 010100a0 c5f7dc96
    943515f1 f4994ebb 9b41e17d db791691 bbf354f2 414a9432 6262c923 f79ae7bb
    9b79e807 294e30f5 ae1bc521 5646b0f8 f4e68e81 b816cca8 9b85d242 81db7ccb
    94a91161 121c5cea 33201c9a 16a77ddb 99066ae2 36afecf8 0aff9867 07f430ee
    a5f8881a aae8c73c 1cceee48 fdcd5c37 f186939e 3d71757d 34ee4b14 a9c0297b
    0510ef87 9e693130 f548363f d8abce15 e2e8589f 3e627104 8726a415 620125aa
    d5dfc9c9 5bb8c9a1 077bbe68 92939320 a86cbd15 75d3445d 454beca8 da60c7d8
    c8d5c8ed 41e1f55f 578e5332 9349d5d9 0ff836aa 07c43241 c5a7af1d 19fff673
    99395a73 67621334 0d1f5e95 70526417 06ec535c 5cdb6aea 35004102 0103a382
    01e73082 01e33012 0603551d 130101ff 04083006 0101ff02 0100301d 0603551d
    0e041604 14d0c522 26ab4f46 60ecae05 91c7dc5a d1b047f7 6c300b06 03551d0f
    04040302 01863010 06092b06 01040182 37150104 03020100 30190609 2b060104
    01823714 02040c1e 0a005300 75006200 43004130 1f060355 1d230418 30168014
    27f3c815 1e6e9a02 0916ad2b a089605f da7b2faa 30430603 551d1f04 3c303a30
    38a036a0 34863268 7474703a 2f2f7777 772e6369 73636f2e 636f6d2f 73656375
    72697479 2f706b69 2f63726c 2f637263 61323034 382e6372 6c305006 082b0601
    05050701 01044430 42304006 082b0601 05050730 02863468 7474703a 2f2f7777
    772e6369 73636f2e 636f6d2f 73656375 72697479 2f706b69 2f636572 74732f63
    72636132 3034382e 63657230 5c060355 1d200455 30533051 060a2b06 01040109
    15010200 30433041 06082b06 01050507 02011635 68747470 3a2f2f77 77772e63
    6973636f 2e636f6d 2f736563 75726974 792f706b 692f706f 6c696369 65732f69
    6e646578 2e68746d 6c305e06 03551d25 04573055 06082b06 01050507 03010608
    2b060105 05070302 06082b06 01050507 03050608 2b060105 05070306 06082b06
    01050507 0307060a 2b060104 0182370a 0301060a 2b060104 01823714 02010609
    2b060104 01823715 06300d06 092a8648 86f70d01 01050500 03820101 0030f330
    2d8cf2ca 374a6499 24290af2 86aa42d5 23e8a2ea 2b6f6923 7a828e1c 4c09cfa4
    4fab842f 37e96560 d19ac6d8 f30bf5de d027005c 6f1d91bd d14e5851 1dc9e3f7
    38e7d30b d168be8e 22a54b06 e1e6a4aa 337d1a75 ba26f370 c66100a5 c379265b
    a719d193 8dab9b10 11291fa1 82fdfd3c 4b6e65dc 934505e9 af336b67 23070686
    22daebdc 87cf5921 421ae9cf 707588e0 243d5d7d 4e963880 97d56ff0 9b71d8ba
    6019a5b0 6186addd 6566f6b9 27a2ee2f 619bbaa1 3061fdbe ac3514f9 b82d9706
    afc3ef6d cc3d3ceb 95e981d3 8a5eb6ce fa79a46b d7a25764 c43f4cc9 dbe882ec
    0166d410 88a256e5 3c57ede9 02a84891 6307ab61 264b1a13 9fe4dcda 5f
  quit
crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
certificate 706fb348
    30820219 30820182 a0030201 02020470 6fb34830 0d06092a 864886f7 0d010104
    05003051 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504
    0b130353 5447312d 302b0603 55040314 245f696e 7465726e 616c5f63 746c5f70
    686f6e65 70726f78 795f6669 6c655f53 4153545f 30301e17 0d303830 38323630
    32353032 345a170d 31383038 32343032 35303234 5a305131 12301006 0355040a
    13094369 73636f20 496e6331 0c300a06 0355040b 13035354 47312d30 2b060355
    04031424 5f696e74 65726e61 6c5f6374 6c5f7068 6f6e6570 726f7879 5f66696c
    655f5341 53545f30 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
    89028181 00b58819 cc921b12 51e5fcf0 4a70cae3 6995aa99 5b9797a4 a41e9fc2
    cc2c18c3 0b108166 b33eeaa1 ca940543 c15c1228 e1bc0037 3851e664 ecba18b0
    2fb6745e ddc3d8a1 a0363997 4bd42887 169d1661 bb9a9118 3d3af3b2 139b828f
    dd659620 ae0969cf 409cc5f7 120b67ad 9a275648 f23e5477 b108e55c 0a011123
    17b49dcf f7020301 0001300d 06092a86 4886f70d 01010405 00038181 0077a6e3
    c2377900 c8c17c23 cb727a88 cd3b400e 8a6bf376 31ea1e47 72e0a99e 20ad12e9
    8bb76071 f487b0c8 e260d216 7789ff7a 5e115e76 396c4d0b deda52e3 7c134b5f
    8cbab20d 7eafff28 b3ded48d 4ece2cc2 f86b0837 3108bf7d a7b1673b 8dacbe6e
    baf1e893 fe6b4ca8 b98a7de7 eff3319a 470a87be 2dcf6e58 180f58ca bd
  quit
crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
certificate 726fb348
    30820219 30820182 a0030201 02020472 6fb34830 0d06092a 864886f7 0d010104
    05003051 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504
    0b130353 5447312d 302b0603 55040314 245f696e 7465726e 616c5f63 746c5f70
    686f6e65 70726f78 795f6669 6c655f53 4153545f 31301e17 0d303830 38323630
    32353032 365a170d 31383038 32343032 35303236 5a305131 12301006 0355040a
    13094369 73636f20 496e6331 0c300a06 0355040b 13035354 47312d30 2b060355
    04031424 5f696e74 65726e61 6c5f6374 6c5f7068 6f6e6570 726f7879 5f66696c
    655f5341 53545f31 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
    89028181 00bdb8cd 6ce8ce0c 5e08b695 f9d28531 ae54e792 b3b1e5ce 4d5f37f4
    e531167f 28167611 bfe909ea d2e17630 79e9f348 71a3df80 2a431f87 89aea095
    ad489bee c5a599c3 fbad5566 d88110c4 582e8bbc dc3a2333 f1240bc4 22eb127c
    5888555a 5eb87351 6c6574d6 cd6b5834 1b02d273 2e7562d8 91b0b9b2 7dd4ab11
    c7a70035 b3020301 0001300d 06092a86 4886f70d 01010405 00038181 006d88e1
    976d6eac c5061621 f00f87a7 763a9ce9 ece4033a d6456b2f 197b69c6 bfbc8d14
    95da81df 85332334 13fd44fb f24bdf45 3454a14c d56536f5 2721320d 34408684
    07c33f15 c97444c6 706c8f94 42cf2339 7e1ab048 4c5d3e3a 87372aa1 ab1afdb3
    b80fd140 5afe8111 13c4e716 ec9849ea ee16717f d2ce2d5a 8a064ba3 ec
  quit
crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
certificate 736fb348
    30820211 3082017a a0030201 02020473 6fb34830 0d06092a 864886f7 0d010104
    0500304d 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504
    0b130353 54473129 30270603 55040314 205f696e 7465726e 616c5f50 505f6374
    6c5f7068 6f6e6570 726f7879 5f66696c 65301e17 0d303830 38323630 32353032
    375a170d 31383038 32343032 35303237 5a304d31 12301006 0355040a 13094369
    73636f20 496e6331 0c300a06 0355040b 13035354 47312930 27060355 04031420
    5f696e74 65726e61 6c5f5050 5f63746c 5f70686f 6e657072 6f78795f 66696c65
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a0b7c3
    b278e7d3 3e02d6e3 74b22a20 cddb2762 3367d080 bdbac82d 68f162ce 00fe35c7
    ef862e33 5f7e2ee7 f79b0de2 249f5cbb 38109028 0424ff42 a45d991f af19ecf7
    fc79f9fb 3a24762d 1117f678 1cfcd475 5d45b526 ceb441a7 11b507a6 acaae6d9
    cd05ea3f 645488f0 55597f7a d692e105 77c34ed7 e3194c5f e66a4123 f3020301
    0001300d 06092a86 4886f70d 01010405 00038181 005c489c 082a2db7 9a73bbab
    aa75283f b6a4fb13 73406c99 46f62395 e66b386b 90836031 56d5e555 581cb6a6
    c3992320 d85eb557 da173f20 35566fb7 33c4466c 2c43568c 14265723 736307f4
    5683cab1 5a0e5a20 6a1b43e6 ddece3b2 cef5d438 5ef545a7 3dc85ac5 8c5affa1
    019b5bca 72e65d21 c7a21cd9 0e17c7d5 1b4ea260 75
  quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
tls-proxy ASA-tls-proxy
server trust-point _internal_PP_ctl_phoneproxy_file
ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 14.36.107.95
record-entry capf trustpoint capf_trustpoint address 14.36.107.95
no shutdown
!
phone-proxy ASA-phone-proxy
media-termination address 14.36.107.91
tftp-server address 172.18.124.230 interface inside
tls-proxy ASA-tls-proxy
cipc security-mode authenticated
ctl-file ctl_phoneproxy_file
no disable service-settings
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map sec_sip
match port tcp eq 5061
class-map sec_sccp
match port tcp eq 2443
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
policy-map voice_policy
class sec_sccp
  inspect skinny phone-proxy ASA-phone-proxy
class sec_sip
  inspect sip phone-proxy ASA-phone-proxy
!
service-policy global_policy global
service-policy voice_policy interface outside
prompt hostname context
Cryptochecksum:c5a1dd4861be8ba54a666cafa149f203
: end
Comments
zamora0800
Level 1
Level 1

Hi is this  (ASA phone proxy) supported in a UC500 enviornment? Assuming the ASA IOS and licensing is all in place of course...

Jay Johnston
Cisco Employee
Cisco Employee

Using CME with phone proxy is not supported. For more information on this, please see the enhancement bugid:

CSCti37799 Phone Proxy does not support CME

taufique.shaikh
Level 1
Level 1

Hello,

I have setup ASA 5510 as per the instruction above but unable to get thru...

CIPC from my laptop register in CUCM but when we make call there is no voice...

Also when i check CTL and Trust list both are empty...

Anyone help is highly apprciated.!

Thank you

taufique.shaikh
Level 1
Level 1

Hello,

I have setup ASA 5510 as per the instruction above but unable to get thru...

CIPC from my laptop register in CUCM but when we make call there is no voice...

Also when i check CTL and Trust list both are empty...

Anyone help is highly apprciated.!

Thank you

jeffjones21
Community Member

Thanks for the article. Is there any other information from Cisco on this "special" MTA address functionality re your statement "The secured streams which terminate on the firewall will be permitted automatically by the firewall".

In the config guides I'm surprised there's no mention of this since it goes against the logic of applying an outside ACL and having full knowledge and control over open ports to the Internet. Is this because there's no inbound traffic to the MTA address and the SRTP sessions are all initiated from the phone-proxy and thus not subjected to an outside-in ACL?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: