Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 8.4 and Phone Proxy


We are trying to get Cisco ASA 8.4 work for our remote Cisco 7970/7971 phones via the Phone-Proxy feature.

The high level network diagram is like this --

[CUCM]------[ASA]=====(internet)=============[Remote office]------ Cisco Phone

We have followed the below document, but dont see any debug message or any other message on the ASA terminal

Relavant configuration are  -

crypto ca trustpoint CAP-RTP-001_trustpoint

enrollment terminal

no client-types

crl configure

crypto ca trustpoint CAP-RTP-002_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint capf_trustpoint

enrollment terminal

crl configure

tls-proxy ASA-tls-proxy

server trust-point _internal_PP_ctl_phoneproxy_file

ctl-file ctl_phoneproxy_file

record-entry capf trustpoint capf_trustpoint address <GLOBAL IP>

record-entry cucm-tftp trustpoint phoneproxy_trustpoint address <GLOBAL IP>

no shutdown


media-termination mediaterm

address <GLOBAL IP>


phone-proxy ASA-phone-proxy

media-termination mediaterm

tftp-server address interface Inside

tls-proxy ASA-tls-proxy

ctl-file ctl_phoneproxy_file

no disable service-settings

policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect sip 

  inspect ip-options

  inspect dns preset_dns_map

  inspect icmp

policy-map voice_policy

class sec_sccp

  inspect skinny phone-proxy ASA-phone-proxy

class sec_sip

  inspect sip phone-proxy ASA-phone-proxy


service-policy global_policy global

service-policy voice_policy interface Outside

access-list OUTSIDE extended permit udp any host <GLOBAL IP> eq tftp

access-group OUTSIDE in interface Outside

ciscoasa# show phone-proxy

Phone-Proxy 'ASA-phone-proxy': Runtime Proxy ref_cnt 2

  Cluster Mode: nonsecure

  Run-time proxies:

    Proxy 0x73792268: Class-map: sec_sip, Inspect: sip

    Proxy 0x738e23a8: Class-map: sec_sccp, Inspect: skinny


Could you please let us know what is it that we are missing?  And on the Phone, we have TFTP-Server as the <GLOBAL IP> of ASA

and in the status message it says as TFTP timeout to recover SEP......conf.xml file, No CTL installed...

Appreciate your Help.



Everyone's tags (1)
CreatePlease to create content