ASA-CUMA Proxy step-by-step Configuration

Document

Jan 8, 2010 8:58 AM
Jan 8th, 2010

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

8.0.x

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1096839

8.2.x

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/unified_comm_cuma.html

Overview

The Cisco CUMA proxy allows Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage clients and servers. The ASA in this solution delivers inspection for the MMP (formerly called OLWP) protocol, the proprietary protocol between Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage.

Prerequisites

The following are required before the phone proxy feature will work correctly.


  • The ASA firewall must be running at least version 8.0(4)
  • The ASA must have the appropriate license installed. Issue "sh ver" command and make sure 3DES is enabled.

cuma-asa#show version

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(4)
....
    VPN-3DES-AES                       : Enabled

Topology

cuma_server----(inside)ASA(outside)---Router----Internet Cloud

Cuma_server internal ip address---192.168.1.10

Cuma_server translated address - 100.100.100.10

asa inside interface ip - 192.168.1.1

ssl port - 5443


Step by Step Configuration

1. Create static 1-1 NAT or static PAT for the CUMA server by entering the following command.

1-1 NAT

cuma-asa(config)#static (inside,outside)  100.100.100.10 192.168.1.10

(or)

Static PAT

cuma-asa(config)#static (inside,outside)  tcp 100.100.100.10 5443 192.168.1.10 5443

2. Create access-list for inspection port and apply the acl on the outside interface

cuma-asa(config)#access-list outside-acl permit tcp any host 100.100.100.10 eq 5443

cuma-asa(config)#access-group outside-acl in int outside

3. Generating CSR on the ASA.

This step is needed to install Verisign or Geotrust certificate on the ASA


a. Generate a key-pair - This following procedure needs to be done on the ASA


cuma-asa(config)# crypto key gen rsa label asa-veri mod 1024

INFO: The name for the keys will be: asa-veri
Keypair generation process begin. Please wait..


b. Create a trustpoint with all the information to generate the CSR. The subject name here should be the exact same one that the mobile phones will be using to access CUMA. If the phones will go to https://cuma1.cisco.com:5443 then use the CN=cuma1.cisco.com


cuma-asa(config)# crypto ca trustpoint asa-to-mobile

cuma-asa(config-ca-trustpoint)# subject-name CN=cuma1.cisco.com,OU=Voice,O=Cisco,C=<2 digit country code>

cuma-asa(config-ca-trustpoint)# keypair asa-veri

cuma-asa(config-ca-trustpoint)# fqdn none

cuma-asa(config-ca-trustpoint)# enrollment terminal


c. Enroll the trustpoint


cuma-asa(config-ca-trustpoint)# crypto ca enroll asa-to-mobile

WARNING: The certificate enrollment is configured with an fqdn

that differs from the system fqdn. If this certificate will be

used for VPN authentication this may cause connection problems.


Would you like to continue with this enrollment? [yes/no]: y

% Start certificate enrollment ..

% The subject name in the certificate will be: CN=cuma1.cisco.com,OU=Voice,O=Cisco


% The fully-qualified domain name will not be included in the certificate


% Include the device serial number in the subject name? [yes/no]: n


Display Certificate Request to terminal? [yes/no]: y


Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
Certificate data omitted
-----END CERTIFICATE REQUEST-----


d. The above CSR needs to be sent off to Verisign or Geotrust. Once you get the signed certificate, import the signed cert:


Remember - IMPORT the ID CERT

                   - AUTHENTICATE the CA CERT


cuma-asa(config)# crypto ca import asa-to-mobile cert

WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.


Would you like to continue with this enrollment? [yes/no]: y


% The fully-qualified domain name in the certificate will be: cuma1.cisco.com


Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself


e. Now authenticate the trustpoint with the certificate that issued you your ID cert.

It is critical that you have the entire certificate chain in the ASA's truststore so that the mobile device can properly validate the certificates during the SSL handshake.


cuma-asa(config)# crypto ca authenticate asa-to-mobile
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself


** Paste the contents of the cert **


f. If you authenticated the intermediate cert in the above step, then you must add your root certificate into the truststore into a separate trustpoint.  Each trust point can have only one ID cert and one CA cert at maximum

cuma-asa(config)# crypto ca trust asa-to-mobile-root

cuma-asa(config-ca-trustpoint)# enrollment terminal

cuma-asa(config-ca-trustpoint)# crypto ca authenticate asa-to-mobile-root
Enter the base 64 encoded CA certificate.

End with the word "quit" on a line by itself


** Paste the contents of the root cert. **

4. Install the CUMA server's self-signed ID cert on to the ASA's trust store.

This will be used for the cummunication between the ASA and CUMA

a. Creat a self-signed cert on the CUMA server

The following needs to be done on the CUMA server

1 Sign in to the Cisco Unified Mobility Advantage Admin portal.
2 Select the [+] beside Security Context Management.
3 Select Security Contexts.
4 Select Add Context.
5 Enter information:
Do you want to create/upload a new certificate? create
Context Name "cuma"
Description "cuma"
Trust Policy "Trusted Certificates"
Client Authentication Policy "none"
Client Password "changeme"
Server Name cuma.ciscodom.com
Department Name "vsec"
Company Name "cisco"
City "san jose"
State "ca"
Country "US"


b. Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage

The following needs to be done on the CUMA server

1 Select the [+] beside Security Context Management

2 Select Security Contexts.

3 Select Manage Context beside the security context that holds the certificate to download.

4 Select Download Certificate.

If the certificate is a chain (has associated root or intermediate certificates), only the first certificate in the chain is downloaded. This is sufficient for self-signed certificates.

Step 5 Save the file.


C. Adding a self-signed certificate from Cisco Unified Mobility Advantage onto the ASA.

The following needs to be done on the ASA

1. Open the self-signed certificate from Cisco Unified Mobility Advantage in WordPad (not Notepad.)
2. Import the certificate into the Cisco Adaptive Security Appliance trust store:

cuma-asa(config)# crypto ca trustpoint cuma-server-id-cert
cuma-asa(config-ca-trustpoint)# enrollment terminal
cuma-asa(config-ca-trustpoint)# crypto ca authenticate cuma-server-id-cert
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself

----BEGIN CERTIFICATE----
** paste the contents from wordpad **
----END CERTIFICATE----


5. Exporting the ASA self-signed cert to be imported onto the CUMA server


We recommend that you configure Cisco Unified Mobility Advantage to require a certificate from
the Cisco Adaptive Security Appliance. Use this procedure to provide the required self-signed certificate.

The following needs to be done on the ASA:

a. generate a new key pair
cuma-asa(config)# crypto key generate rsa label asa-id-key mod 1024
INFO: The name for the keys will be: asa-id-key
Keypair generation process begin. Please wait...

b. add a new trustpoint
cuma-asa(config)# crypto ca trustpoint asa-self-signed-id-cert
cuma-asa(config-ca-trustpoint)# keypair asa-id-key
cuma-asa(config-ca-trustpoint)# enrollment self


c. enroll the trustpoint
cuma-asa(config-ca-trustpoint)# crypto ca enroll asa-self-signed-id-cert

% The fully-qualified domain name in the certificate will be: cuma-asa.cisco.com

% Include the device serial number in the subject name? [yes/no]: n

Generate Self-Signed Certificate? [yes/no]: y

d. export the certificate to a text file

cuma-asa(config)# crypto ca export asa-self-signed-id-cert identity-certificate

The PEM encoded identity certificate follows:
-----BEGIN CERTIFICATE-----
Certificate data omitted
-----END CERTIFICATE-----

e. copy the above output to a text file and add it to the CUMA server trust store using the following procedure:

1. Select the [+] beside Security Context Management.
2. Select Security Contexts.
3. Select Manage Context beside the Security Context into which you will import the signed certificate.
4. Select Import in the Trusted Certificates bar.
5. Paste the certificate text.
6. Name the certificate.
7. Select Import.


6. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server

ASA to mobile phone communication is on the outside and the ASA to CUMA communication is on the inside.


In the communication between ASA to mobile clients - The ASA will act as the server

In the communication between ASA to CUMA - The ASA will act as the client


cuma-asa(config)# tls-proxy cuma_proxy
cuma-asa(config-tlsp)#server trust-point asa-to-mobile
cuma-asa(config-tlsp)#client trust-point asa-self-signed-id-cert

cuma-asa(config-tlsp)#no server authenticate-client

cuma-asa(config-tlsp)#client cipher-suite aes128-sha1 aes256-sha1

7. Enable the TLS proxy for MMP(Mobile Multiplexing Protocol) inspection

cuma-asa(config)# class-map cuma-proxy

cuma-asa(config-cmap)# match port tcp eq 5443

cuma-asa(config)# policy-map global_policy
cuma-asa(config-pmap)# class cuma-proxy
cuma-asa(config-pmap-c)# inspect mmp tls-proxy cuma-proxy
cuma-asa(config-pmap-c)# exit
cuma-asa(config)# service-policy global_policy global

Configure logging and debugs for troubleshooting

The following commands will send debugs and logs to the syslog server.


debugs:

cuma-asa(config)#debug inspect tls-proxy all

cuma-asa(config)#debug mmp


logs:

cuma-asa(config)#logging enable
cuma-asa(config)#logging timestamp
cuma-asa(config)#logging list loglist message 711001
cuma-asa(config)#logging list loglist message 725001-725014
cuma-asa(config)#logging list loglist message 717001-717038
cuma-asa(config)#logging buffer-size 1000000
cuma-asa(config)#logging buffered loglist
cuma-asa(config)#logging host inside 192.168.1.20
cuma-asa(config)#logging trap loglist

The command below sends the debugs to the syslog server if configured
cuma-asa(config)#logging debug-trace

Show commands


sh cry ca cert
sh cry ca trustpoint
sh run tls-proxy
sh run policy-map
sh run static

Capturing packets


cuma-asa# capture capout interface outside (capturing raw packets)
cuma-asa# capture capout-dec type tls-proxy interface outside (capturing decrypted data)
cuma-asa# show capture capture_name

To save the captures issue
cuma-asa# copy /pcap capture:capture_name tftp://tftp_location

(or)
from a PC that can asdm to the firewall issue:
https://192.168.1.1/capture/<capture_name/pcap

Average Rating: 5 (2 ratings)

Comments

tahequivoice Wed, 03/21/2012 - 07:06

I see an issue with this configuration. I applied it to a working ASA and CUCM application, and have had nothing but failures.  I found a document on Cisco, http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_1/XML/new_installs/cuma71_new_install_config_chapter2.html#concept_CUM_6512943915981711726 and your setup above does not cover how the CUMA server communicates back to the client.

p 2   Translate all client IP addresses to a single source IP address for routing through the firewall to Cisco Unified Mobility Advantage:
global (<inside interface name> <nat_id> <shared ip address to which all client ip addresses will be translated>)  netmask <subnet mask> 
nat (<outside interface name>) 1 0 0 outside 

Note that because the IP address that all clients share is the same as the inside interface, you can use interface instead of specifying the IP address.

Example:

global (inside) 1 interface 
nat (outside) 1 0.0.0.0 0.0.0.0 outside

I have not been able to test this out yet, Cisco Tac totally f'd up the certificates on the ASA trying to get it working, and now I have to get the signed cert reissued.  One problem I ran into instantly is the above breaks the EZVPN locations, so I first have to figure out how to exempt those locations from the above NAT.

Now question, is the above NAT setup correct? Is this how CUMA communicates back to the client?   Reason I ask, I ran a capture and I see packets from the client to the server, and I see server responses, but the client eventually times out server not found, or unavailable.

So far Cisco TAC has been clueless on how Cuma works, one team passes it to the other team and back and forth.  Does ANYONE know how the hell these servers work with the ASA and clients?

Actions

Login or Register to take actions

This Document

Posted January 8, 2010 at 8:58 AM
Stats:
Comments:1 Avg. Rating:5
Views:15419 Contributors:1
Shares:0

Related Content

Documents Leaderboard