Try to configure ASA8.0(4) phone proxy feature with Callmanager 6.1(x) as per the documentation http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1144829
I assigned TFTP server ip address on the remote IP phone with ASA proxy address, and the remote IP Phone can successfully register to CallManager.
But from remote IP Phone, the phone directory and phone service button are not working:"Host not found". I think this is because the ip phone still get the phone service internal ip address of CallManager?
Or I missed something?
You aren't missing anything. There is no support for this in the current version of the ASA proxy. This is what happens when a voice product leaves the UC BU and ends up as a product in the Security BU.
I don't know what is on the roadmap, but I hope this gets back in the product as it is a function that is sorely missed.
I am having the same issue and I just started to look into the proxy-server option in the ASA phone proxy config. Couldn't I just setup an http proxy (preferably on the ASA) and use that to tunnel the phone service request through? I still would have the issue of the phone service traffic being unencrypted but I think it would function.
I have been able to get the directory, service, and information to work; this isn't exactly documented to well yet - but it should get better.
I am using 8.0(4)23 as I had to get away from the walkie-talkie audio issue of the standard 8.0(4) code. I also am not using LSCs yet - only MICs.
xxx.xxx.xxx.xxx is the internal IP of the CUCM Publisher running tftp
yyy.yyy.yyy.yyy is my ASA external IP meant for tftp / 8080
zzz.zzz.zzz.zzz is my ASA external MTP
The configuration that seems to work is:
object-group service tftp udp
port-object eq tftp
object-group network cucm
network-object host yyy.yyy.yyy.yyy
access-list outside_access_in extended permit udp any object-group cucm object-group tftp
static (inside-60,outside-96) tcp yyy.yyy.yyy.yyy 8080 xxx.xxx.xxx.xxx www netmask 255.255.255.255
static (inside-60,outside-96) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.255.255
proxy-server address xxx.xxx.xxx.xxx interface inside
Try this out and verify that this helped.
Thats a good new to me, getting the directory & service to work! Were the same, only mic is being used. Can you pls. give me a copy of your config, just want to compare it to mine. --email@example.com
btw, i've PAT the outside traffic going inbound through the ASA on the each specific phone ip address. Is there a way to stick/trust the outside phone using the Mac-address instead of the ip address? Since I don't want to performed PAT on all the outside traffic going inbound through the ASA.
my config ex:
PhoneProxyASA(config)# nat (outside) 55 172.18.254.73 255.255.255.255 outside
PhoneProxyASA(config)# global (inside) 55 interface
where 172.18.254.73 is the ip address of the phone on the outside.
Heard that the new ASA firmware (8.2.1 -released this May) has fixed this issue. Has anyone tried it out yet?
I'm trying out your configuration but im getting error on getting both the static config, a conflict since there's already static. Any workaround? thanks
"ERROR: mapped-address conflict with existing static
inside:xxx.xxx.xxx.xxx to outside:yyy.yyy.yyy.yyy netmask 255.255.255.255"
got it-a little trick, i removed the 1st static mapping, enter the 2nd static map, then re-enter the 1st static map. (a bug or something?) Although i got error as previous, it did go to the config and it works. the directory works fine and the extension mobility displays however when the extension mobility was selected, it still doesn't show the login/logoff and got a "http error !". any suggestion?
Basically it's quite simple to fix it when you use DNS names for CM.
You just have to change DNS to internally and externally resolvable.
Then go to Enterprise Parameters Configuration > Phone URL Parameters and change: URL Directories, URL Services
You will need static map on ASA between external IP to internal and this set up working fine.
You can use DNS names only for those 2 parameters and keep in mind it's only workaround not a real fix.
Rate if this help.
With the following configuration update as outlined below. The ASA will insert a value for "Proxy Server" on a 7900 series phone. You can check this on the phone pressing Settings | Device Configuration | HTTP Configuration | Proxy server. The ASA will insert the global address for the CUCM server and dynamically update the access-list for a registered phone.
You can correct this issue through ASDM or through CLI.
Expand Firewall | Advanced | Encrypted Traffic Inspection | Phone Proxy
Click "Configure a http-proxy which would be written into the phone's config file so that phone URLs are directed for services on the phone.
Insert the IP address of your CUCM server, port 8080, interface "Inside" (normally).
proxy-server address X.X.X.X interface inside (where X.X.X.X = your CUCM server)
Remove this static and clear the r.r.r.r global xlate.
static (inside,outside) tcp r.r.r.r 8080 s.s.s.s www netmask 255.255.255.255
This is built dynamically for you.
Done as you recommended and I definitely see the proxy server URL (r.r.r.r:8080) at Settings| Device configuration|HTTP Configuration| where the r.r.r.r is the outside address but still getting "HTTP Error(404)" from Services button.
if I adjust the URL parameters/services on the enterprise parameters to use DNS, will it affect all my phones not setup for phone proxy?i.e. need to restart the services,etc?
btw, after I remove my static the directories also have gone away (which is working when the static is in place while only the EM is not).
and I don't want to adjust the URL parameters/services.
Anymore more ideas?
Are you pointing directly at a cucm for the proxy server address? It should work if all the services are on that cucm but if you are trying to hit web services on other internal boxes the call manager wont proxy those requests, you need to point to a real web proxy server. I ended up setting up a squid proxy box and point all external phones to that and it was able to get there requests to the right box on the inside.
yep, I'm pointing to a CUCM address and i can see the URL from the external phone are all correct (same as the internal phones)
i.e. Directories URL:http://s.s.s.s/CCMCIP/xmldirectory.asp where the s.s.s.s = internal CUCM address
Just wondering, the ASA should be able to proxy this right? or should I add anything on the ASA?
Here is a sample of my working configuration for the Phone Proxy portion:
tftp-server address 10.1.1.1 interface inside
tftp-server address 10.2.1.1 interface outside
cipc security-mode authenticated
proxy-server address 10.1.1.1 interface inside
I'm running 8.2.2 on the ASA in my lab and CUCM 7.1.3su1b.
I've changed the IP's, but it does work. The one drawback to this configuration is that all the information sent is sent in clear text, so if someone is sniffing traffic they could get logins, passwords, IP's, etc. This might be remedied in CUCM8 with secure services.
I've added the "tftp-server address x.x.x.x interface outside" on mine but still not working.
y.y.y.y = subscriber
z.z.z.z = publisher
x.x.x.x = external ip static to z.z.z.z (pubs)
tftp-server address z.z.z.z interface inside
tftp-server address x.x.x.x interface outside --just added
cipc security-mode authenticated
proxy-server address z.z.z.z interface inside
Just noticed on the status of the phone the error:TFTP not authorized: y.y.y.y but the phone proxy is working (can make calls,etc.). Since I only declare one CUCM address on the ASA to utilize the 2 free license. Would this be an issue related to the EM?
btw, mine is 8.2.1, i'll upgrade to 8.2.2 then see if that improves.