Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA Phone-Proxy Security Issue?

Hi all,

I am just starting to look over the phone proxy configuration for the ASAs. I noticed one of the steps was to open TFTP access to the CM from the Internet. My question is what are the security ramifications to doing this and has anyone here addressed this in their environment?

Cisco Employee

Re: ASA Phone-Proxy Security Issue?


Not sure where you read that you have to open the TFTP access to the CM from the internet.

Actually, what you need is to setup NAT on the ASA. So the ASA will translate an external IP to internal. Also, the connection between the ASA and the phone is going to be secure and so there is not much of a security issue there.

Please take a look at this link for more info.


Community Member

Re: ASA Phone-Proxy Security Issue?

Step 13 in the link you posted. It Says...

Using an access-list, permit inbound TFTP traffic to the tftp-server's global IP address. This is the only specific acl entry that needs to exist to allow the phone-proxy to work. The secured streams which terminate on the firewall will be permitted automatically by the firewall.

VIP Super Bronze

Re: ASA Phone-Proxy Security Issue?

I would be sure to put the cluster in Mixed Mode and use TFTP encryption to protect the downloads. I would also make sure to throttle the connections allowed on the ASA to prevent a DoS against the TFTP server.

If you are a partner the AZTEC team has been working on a lab for this due out sometime in July. I would speak with your channels team so you can get some practice.

Community Member

Re: ASA Phone-Proxy Security Issue?

Do you know what vulnerabilities it presents to the server itself? For instance, ability to upload malicious code to the server or is the server setup for download only?

CreatePlease to create content