Overview
The Cisco ASA phone proxy feature allows remote Cisco IP phones to establish secured communication channels directly with the ASA. These secure communications terminate directly onto the firewall, and the firewall "proxies" the voice communication between the phone and the Call Manager.
This feature allows for secure voice communication for phones deployed in the field without requiring a separate device to encrypt the traffic to the Call Manager.
To configure ASA Phone Proxy via CLI, please reference this page: ASA Phone Proxy sample configuration in 8.0
Terminology
Media Termination Address
The Media Termination Address is an address that the firewall uses to perform the phone proxy function. It is a special address that is used to terminate secure media streams to and from remote phones. This address needs to be a unique, publicly routeable address on the outside of the firewall, and must adhere to the following guidelines:
- It must not be the same as any global address for any translation on the firewall
- It must be a different address than the outside interface address of the firewall (or any other firewall interface)
- It must reside in the same ip subnet as the outside interface of the firewall
- No other device on the outside subnet can also be assigned this IP address
SRTP
SRTP (Secured Real-time Transport Protocol) refers to RTP (Real-time Transport Protocol) media streams which are encrypted.
Certificate Trust List (CTL) File
The CTL file is a file that the phone downloads when it first connects to the tftp server upon bootup. The CTL file contains information about what devices the phone can trust, along with the certificates for those devices. In the case of phone proxy the firewall is configured to generate and send its own CTL file to the remote phone. The CTL file contains the certificates for the devices in the phone proxy environment, such as the Call Manager(s), tftp-server and CAPF certificates.
MIC and LSC Certificates
There are two types of certificates that can be present on Cisco IP Phones:
For the phone proxy feature to function properly and for the traffic between the phone and the ASA to be encrypted, the phone must have a certificate installed. To determine if a phone has a certificate already installed on the phone, press the Settings button, then choose "6 - Security Configuration" then scroll down and look for the sections labelled "MIC" and "LSC". If either of these reads "Installed" a certificate of that type is installed. If it reads "Not Installed" there is no certificate of that type installed.
CAPF
Stands for Certificate Authority Proxy Function. This is a feature that runs on the Cisco Unified Call Manager Publisher that can deploy LSC certificates to phones. This is required for phones that do not have a MIC certificate to establish secure or authenticated connections. More information on the process of deploying certificates to phones using the CAPF process can be found at the documentation link below
Prerequisites
The following are required before the phone proxy feature will work correctly
- The remote Cisco IP phone must have a certificate installed for the secure connection to be made to the firewall
- The ASA firewall must be running at least version 8.0(4)
- To use ASDM, you must be running ASDM, Version 6.1(3) or later.
- The ASA must have the appropriate license installed. To determine the number of secured connections available, use the "show version" command. Each phone to Call Manager connection counts as one secure connection; Therefore, if two Call Managers are present (and in a redundant configuration) since each phone maintains two connections (one to each Call Manager) then a total of two licenses will be used for each phone.
Note the line that reads "UC Proxy Sessions":
Step-by-Step configuration example
For this example, the following diagram depicts the network:
- The dmz interface is meant to represent a DMZ or trusted interface, depending on your network topology.
- The PhoneProxy interface is meant to represent the Internet in this example.
- The media termination address is 10.26.100.3.
- The TFTP server resides on the call manager, and the call manager is at 192.168.1.3. The firewall is statically translating this dmz ip to the PhoneProxy interface with a global address of 10.26.100.2.
- The phones in this case have a MIC certificate installed. This certificate was previously installed on the phone by Cisco at the time of manufacturing. (Note: Cisco recommends that you use manufacturer-installed certificates (MICs) for LSC installation only.[1])
- The Call Manager is running in non-secure mode. Therefore all communication from the ASA to the call manager will be unencrypted
The following configuration is based off of the configuration guide located here
1. Set the hostname and domain-name of the firewall. These settings will be used when the RSA keys are generated in step 4.
2. (Optional) Configure DNS resolution on the ASA if the Call Manager server is configured by hostname, rather than IP address. If the Call Manager is configured by hostname then it will insert its own hostname into the TFTP config file sent to the phone, instead of its IP address; the phone will then attempt to resolve the hostname and connect to the resulting ip. The phone, as well as the ASA, will need to be able to resolve the IP of the Call Manager if this is the case. You can check to see if the Call Manager server is configured by hostname by going to the Call Manager and under "System->Server" and press the "Find" button to display the Call Manager description. It will show an IP address or a Hostname. If your Call Manager is configured by ip address, this step is not necessary, as the phone and the ASA won't need to do any dns resolution.
In the following example:
- The DNS server resides on the outside
- The DNS server ip address is 4.2.2.2
- In this case the DNS server is added to the default DNS server group
3. Create a static translation so that the Call Manager's TFTP server is accessible from the outside internet. The phones will be configured with the 10.26.100.2 address as their TFTP server:
4. A keypair needs to be generated that will be used for the self-signed certificate on the firewall. If a keypair is already created then this step can be skipped.
5. Next, create a trustpoint that will be used for secure communication with the remote phones. In this case we'll call this trustpoint phoneproxy_trustpoint. After creating the trustpoint, we enroll the trustpoint immediately (causing the firewall to generate the self-signed certificate).
6. (Optional - Only necessary if the phones have a LSC installed and no MIC) If the phones we are using do not have a MIC certificate (and the only certificate that they have is a LSC) then we'll need to add the CA CAPF certificate from the Call Manager. Again, this step is only necessary if the remote phones have a LSC certificate loaded.
To retrieve the CAPF certificate from the Call Manager running version 5.1, do the following (these steps might be different depending on the Call Manager version):
- Log into the Call Manager web interface
- In the upper right of the screen in the "Navigation" selector, choose "Cisco Unified OS Administration" and click "Go"
- Choose the "Security" drop down, then choose "Certificate Management" then "Download Certificate / CTL"
- Choose "Download Trust Cert" and then "CAPF". Download this certificate in .pem encoding.
Then, create the trustpoint and import the CAPF CA certificate from the Call Manager onto the firewall
7. It is necessary to load the Cisco Manufacturer CA certificates onto the firewall so that phones that use MIC certificates and the firewall can make a secure connection. Therefore, we'll create a trustpoint for each of the CA certificates CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA. These CA certificates can be downloaded from the Call Manager by doing the following (these steps might be different depending on the Call Manager version):
- Log into the Call Manager web interface
- In the upper right of the screen in the "Navigation" selector, choose "Cisco Unified OS Administration" and click "Go"
- Choose the "Security" drop down, then choose "Certificate Management" then "Download Certificate / CTL"
- Choose "Download Trust Cert" and then "Call Manager - Trust". Download the certificates (CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA) in .pem encoding.
Now, create a trustpoint for each certificate and authenticate them all with the downloaded .pem encoded files:
8. Now that the certificates are on the ASA, we'll need to create the parameters for the CTL file that will be passed down to the phone. In our case, since the tftp server is on the Call Manager (one device serves both roles), we'll create a record-entry of type cucm-tftp (as opposed to just tftp or just cucm). Also note that we use the global (mapped) address for the tftp server here, since this is how the tftp server will look to the phones. The record-entry we add for the CAPF is not required if CAPF certificates are not used:
9. Create the tls-proxy instance. Under this section it is required to specify a trustpoint that was automatically generated by the ASA when the CTL file was created. The trustpoint name will be in the format of _internal_PP_ + ctl_file_name. In this case since the ctl file was ctl_phoneproxy_file (see step 8 above) the complete command is server trust-point _internal_PP_ctl_phoneproxy_file.
10. Create the phone-proxy instance, which outlines the parameters of how the phone-proxy will be configured on the firewall.
The following parameters are configured below:
- The media-termination address command ip address should be a unique ip address as defined above
- The tftp-server address command ip address should be the internal (real) ip address of the tftp server and the interface should be the interface of the firewall behind which the tftp server resides. Before configuring this parameter, ensure that the static translation for the Call Manager (see step 3) has been created
- The tls-proxy command should refer to the name of the tls-proxy instance that was created earlier in step 9
- The ctl-file command should refer to the name of the ctl file configured earlier in step 8.
- The no disable service-settings specifies that we do not wish the firewall to disable certain settings of the phone
At this point the ASA configuration is done. The next step is to go to the phone and ensure that:
- The phone obtains an ip address from the DHCP server on the LAN
- The phone downloads the correct CTL file from the ASA. If the phone previously had a CTL file loaded it should be deleted.
- The phone's tftp server settings are correct (the phone should have a TFTP server ip setting pointing to the global address of the tftp server as defined in the static() command. The TFTP server setting should not point to the media termination address, nor the outside interface ip address of the firewall.
Final completed configuration
The final, complete config for this example is below:
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name cisco.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan12
nameif DMZ
security-level 80
ip address 192.168.1.1 255.255.255.0
!
interface Vlan22
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan32
nameif PhoneProxy
security-level 50
ip address 10.26.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 22
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport access vlan 12
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
switchport access vlan 32
!
interface Ethernet0/7
switchport access vlan 32
!
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
access-list PhoneProxy_access_in extended permit udp any host 10.26.100.2 eq tftp log disable
pager lines 24
logging enable
logging buffered debugging
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu PhoneProxy 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
static (DMZ,PhoneProxy) 10.26.100.2 192.168.1.3 netmask 255.255.255.255
access-group PhoneProxy_access_in in interface PhoneProxy
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint phoneproxy_trustpoint
enrollment self
subject-name CN=ciscoasa
keypair proxy_key
crl configure
crypto ca trustpoint capf_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint _internal_asdm_CTL_File_SAST_0
enrollment self
fqdn none
subject-name cn="_internal_asdm_CTL_File_SAST_0";ou="STG";o="Cisco Inc"
keypair _internal_asdm_CTL_File_SAST_0
crl configure
crypto ca trustpoint _internal_asdm_CTL_File_SAST_1
enrollment self
fqdn none
subject-name cn="_internal_asdm_CTL_File_SAST_1";ou="STG";o="Cisco Inc"
keypair _internal_asdm_CTL_File_SAST_1
crl configure
crypto ca trustpoint _internal_PP_asdm_CTL_File
enrollment self
fqdn none
subject-name cn="_internal_PP_asdm_CTL_File";ou="STG";o="Cisco Inc"
keypair _internal_PP_asdm_CTL_File
crl configure
crypto ca server
shutdown
cdp-url http://kredmon-asa.kredmon.lab/+CSCOCA+/asa_ca.crl
issuer-name CN=kredmon-asa.kredmon.lab
smtp from-address admin@kredmon-asa.kredmon.lab
crypto ca certificate chain phoneproxy_trustpoint
certificate 03870049
308201e3 3082014c a0030201 02020403 87004930 0d06092a 864886f7 0d010104
05003036 3111300f 06035504 03130863 6973636f 61736131 21301f06 092a8648
86f70d01 09021612 63697363 6f617361 2e636973 636f2e63 6f6d301e 170d3038
31303233 31343135 33315a17 0d313831 30323131 34313533 315a3036 3111300f
06035504 03130863 6973636f 61736131 21301f06 092a8648 86f70d01 09021612
63697363 6f617361 2e636973 636f2e63 6f6d3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100cc 26bba4c8 4ed65cc3 154baf06 46fc1891
61d7c865 b89e76d8 10a9875c 2b1e808a b6671f17 1a50cc44 0a875cc9 ed3fe86d
1fa79db3 e7fea1d4 7c69d334 9133fe8a e8d7f56d 73ffb5cb 5b4d1c2b f2af5361
8b778483 eca65844 8cdd6423 d2fc82ec 300707fd e82da9de b984b235 28301635
4ae54f14 4ab7be3a 61352523 0560c302 03010001 300d0609 2a864886 f70d0101
04050003 818100ac 7038d3c9 a32a70f8 cc490c90 db83e92b f7ec2ab4 20923b5e
2185392d a011b534 33555340 a05b6f09 fd58f594 b865ee53 6dcaed96 354f12eb
d792f88f 1cb2ff8b 51944345 ae280845 115828af 1646a213 138a39e3 115364fe
584af848 115d5e4e b0d03391 18b2686d c4dd9de0 49515d49 5f5959e0 840b079e
697bf549 f19e31
quit
crypto ca certificate chain capf_trustpoint
certificate ca 160197fb03c26fa6
30820274 308201dd a0030201 02020816 0197fb03 c26fa630 0d06092a 864886f7
0d010105 05003055 310a3008 06035504 0a130141 310a3008 06035504 08130144
310a3008 06035504 07130143 310b3009 06035504 06130255 53311630 14060355
0403130d 43415046 2d313562 62336466 38310a30 08060355 040b1301 42301e17
0d303730 39303431 31303833 345a170d 31323039 30343131 30383334 5a305531
0a300806 0355040a 13014131 0a300806 03550408 13014431 0a300806 03550407
13014331 0b300906 03550406 13025553 31163014 06035504 03130d43 4150462d
31356262 33646638 310a3008 06035504 0b130142 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00ba30d0 cf67ee6b 3fe5a2b1 685453c5
29660b7d 8ceaf02b 81bc1975 f297c7bd d15b9ad6 5c5a49b7 c18fecfb d1c2c61e
85ab38d7 2a940cf2 c410e937 c0f3419f a8d293ab 2a432674 6132fffe 0bb7a1e1
7b95e211 4c97cd8c 15a66f72 6553b639 2976b72f e624599f 53823a0d c911a2d2
08038d86 096a4202 90aabc4e 1eac69a1 9d020301 0001a34d 304b300b 0603551d
0f040403 02028430 1d060355 1d250416 30140608 2b060105 05070301 06082b06
01050507 0305301d 0603551d 0e041604 14f52ff7 95b82475 b00c0de4 e78405c2
c4450091 cb300d06 092a8648 86f70d01 01050500 03818100 85396096 c427c5cc
0cc4cb56 33cb9922 0eb26bc7 6ddf33f8 441b8aa8 3d8f6561 f977f7de f6b1af7f
f4d9a921 a11a3c5a d4de9ed2 4452dbd5 14cbfe2e db3afb88 6aa9657c 9eceb7dc
dfefeaf3 3e98bc1c 7aa87f81 486e0a2a 70bd890f b661b301 5e7f771e 540afa4c
09197127 80e90963 8e6921a3 67e9d380 6e9f695c 7f528b
6e
quit
crypto ca certificate chain CAP-RTP-001_trustpoint
certificate ca 7612f960153d6f9f4e42202032b72356
308203a8 30820290 a0030201 02021076 12f96015 3d6f9f4e 42202032 b7235630
0d06092a 864886f7 0d010105 0500302e 31163014 06035504 0a130d43 6973636f
20537973 74656d73 31143012 06035504 03130b43 41502d52 54502d30 3031301e
170d3033 30323036 32333237 31335a17 0d323330 32303632 33333633 345a302e
31163014 06035504 0a130d43 6973636f 20537973 74656d73 31143012 06035504
03130b43 41502d52 54502d30 30313082 0120300d 06092a86 4886f70d 01010105
00038201 0d003082 01080282 010100ac 55bbed18 de9b8709 ffbc8f2d 509ab83a
21c1967f dea7f4b0 969694b7 80cc196a 463da516 54a28f47 5d903b5f 104a3d54
a981389b 2fc7ac49 956262b8 1c143038 5345bb2e 273fa7a6 46860573 ce5c998d
55de78aa 5a5cfe14 037d695b ac816409 c6211f0b 3bbf09cf b0bbb2d4 ac362f67
0fd145f1 620852b3 1f07e2f1 aa74f150 367632ed a289e374 af0c5b78 ce7dfb9f
c8ebbe54 6ecf4c77 99d6dc04 47476c0f 36e58a3b 6bcb24d7 6b6c84c2 7f61d326
be7cb4a6 60cd6579 9e1e3a84 8153b750 5527e865 423be2b5 cb575453 5aa96093
58b6a2e4 aa3ef081 c7068ec1 dd1ebdda 53e6f0d6 e2e0486b 109f1316 78c696a3
cfba84cc 7094034f c1eb9f81 931acb02 0103a381 c33081c0 300b0603 551d0f04
04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604
14e917b1 82c71fcf aca91b6e f4a9269c 70ae05a0 9a306f06 03551d1f 04683066
3064a062 a060862d 68747470 3a2f2f63 61702d72 74702d30 30312f43 65727445
6e726f6c 6c2f4341 502d5254 502d3030 312e6372 6c862f66 696c653a 2f2f5c5c
6361702d 7274702d 3030315c 43657274 456e726f 6c6c5c43 41502d52 54502d30
30312e63 726c3010 06092b06 01040182 37150104 03020100 300d0609 2a864886
f70d0101 05050003 82010100 ab64fdeb f60c32dc 360f0e10 5fe175fa 0d574ab5
02acdca3 c7bbed15 a4431f20 7e9286f0 770929a2 17e4cdf4 f2629244 2f3575af
e90c468c ae67ba08 aaa71c12 ba0c0e79 e6780a5c f814466c 326a4b56 73938380
73a11aed f9b9de74 1195c48f 99454b8c 30732980 cd6e7123 8b3a6d68 80b97e00
7f4bd4ba 0b5ab462 94d9167e 6d8d48f2 597cde61 25cfadcc 5bd141fb 210275a2
0a4e3400 1428ba0f 69953bb5 50d21f78 43e3e563 98bcb2b1 a2d4864b 0616bacd
a61cd9ae c5558a52 b5eeaa6a 08f96528 b1804b87 d26e4aee ab7affe9 2fd2a574
bafe0028 96304a8b 13fb656d 8fc60094 d5a53d71 444b3cef 79343385 3778c193
74a2a6ce dc56275c a20a303d
quit
crypto ca certificate chain CAP-RTP-002_trustpoint
certificate ca 353fb24bd70f14a346c1f3a9ac725675
308203a8 30820290 a0030201 02021035 3fb24bd7 0f14a346 c1f3a9ac 72567530
0d06092a 864886f7 0d010105 0500302e 31163014 06035504 0a130d43 6973636f
20537973 74656d73 31143012 06035504 03130b43 41502d52 54502d30 3032301e
170d3033 31303130 32303138 34395a17 0d323331 30313032 30323733 375a302e
31163014 06035504 0a130d43 6973636f 20537973 74656d73 31143012 06035504
03130b43 41502d52 54502d30 30323082 0120300d 06092a86 4886f70d 01010105
00038201 0d003082 01080282 010100c4 266504ad 7dc3fd8d 65556fa6 308fae95
b570263b 575abd96 1cc8f394 5965d9d0 d8ce02b9 f808ccd6 b7cd8c46 24801878
57dc4440 a7301ddf e40fb1ef 136212ec c4f3b50f bcafbb4b cd2e5826 34521b65
01555fe4 d4206776 03368357 83932638 d6fc953f 3a179e44 67255a73 45c69dee
fb4d221b 21d7a3ad 38184171 8fd8c271 42183e65 09461434 736c77cc f380eebf
632c7b3f a5f92aa6 a8ef3490 8724a84f 4daf7fd7 0928f585 764d3558 3c0fe9af
1ed8763f a299a802 970004ad 1912d265 7de335b4 bcb6f789 dc68b9fa c8fdf85e
8a28ad8f 0f4883c0 77112a47 141dbee0 948fbe53 fe67b308 d40c8029 87bd790e
cdab9fd7 a190c1a2 a462c5f2 4a6e0b02 0103a381 c33081c0 300b0603 551d0f04
04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604
1452922b e288ee2e 098a4e7e 702c56a5 9ab4d49b 96306f06 03551d1f 04683066
3064a062 a060862d 68747470 3a2f2f63 61702d72 74702d30 30322f43 65727445
6e726f6c 6c2f4341 502d5254 502d3030 322e6372 6c862f66 696c653a 2f2f5c5c
6361702d 7274702d 3030325c 43657274 456e726f 6c6c5c43 41502d52 54502d30
30322e63 726c3010 06092b06 01040182 37150104 03020100 300d0609 2a864886
f70d0101 05050003 82010100 56838cef c4da3ad1 ea8fbb15 2ffe6ee5 50a1972b
d4d7af1f d298892c d5a2a76b c3462866 13e0e55d dc0c4b92 5aa94b6e 69277f9b
fc73c697 11266e19 451c0fab a55e6a28 901a48c5 b9911ee6 348a8920 0aede1e0
b6ea781c ffd97ca4 b03c0e34 0e5b0649 8b0a34c9 b73a654e 09050c1f 4da53e44
bf78443d b08c3a41 2eeeb873 78cb8089 34f9d16e 91512f0d 3a8674ad 0991ed1a
92841e76 36d7740e cb787f11 685b9e9d 0c67e85d af6d05ba 3488e86d 7e2f7f65
6918de0f bd3c7f67 d8a33f70 9c4a596e d9f62b3b 1edee854 d5882ad4 3d71f72b
8fab7f3c 0b5f0759 d9828f83 954d7bb1 57a638ec 7d72bff1 8933c16f 760bca94
4c5b1931 67947a4f 89a1bdb5
quit
crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint
certificate ca 6a6967b3000000000003
308204d9 308203c1 a0030201 02020a6a 6967b300 00000000 03300d06 092a8648
86f70d01 01050500 30353116 30140603 55040a13 0d436973 636f2053 79737465
6d73311b 30190603 55040313 12436973 636f2052 6f6f7420 43412032 30343830
1e170d30 35303631 30323231 3630315a 170d3239 30353134 32303235 34325a30
39311630 14060355 040a130d 43697363 6f205379 7374656d 73311f30 1d060355
04031316 43697363 6f204d61 6e756661 63747572 696e6720 43413082 0120300d
06092a86 4886f70d 01010105 00038201 0d003082 01080282 010100a0 c5f7dc96
943515f1 f4994ebb 9b41e17d db791691 bbf354f2 414a9432 6262c923 f79ae7bb
9b79e807 294e30f5 ae1bc521 5646b0f8 f4e68e81 b816cca8 9b85d242 81db7ccb
94a91161 121c5cea 33201c9a 16a77ddb 99066ae2 36afecf8 0aff9867 07f430ee
a5f8881a aae8c73c 1cceee48 fdcd5c37 f186939e 3d71757d 34ee4b14 a9c0297b
0510ef87 9e693130 f548363f d8abce15 e2e8589f 3e627104 8726a415 620125aa
d5dfc9c9 5bb8c9a1 077bbe68 92939320 a86cbd15 75d3445d 454beca8 da60c7d8
c8d5c8ed 41e1f55f 578e5332 9349d5d9 0ff836aa 07c43241 c5a7af1d 19fff673
99395a73 67621334 0d1f5e95 70526417 06ec535c 5cdb6aea 35004102 0103a382
01e73082 01e33012 0603551d 130101ff 04083006 0101ff02 0100301d 0603551d
0e041604 14d0c522 26ab4f46 60ecae05 91c7dc5a d1b047f7 6c300b06 03551d0f
04040302 01863010 06092b06 01040182 37150104 03020100 30190609 2b060104
01823714 02040c1e 0a005300 75006200 43004130 1f060355 1d230418 30168014
27f3c815 1e6e9a02 0916ad2b a089605f da7b2faa 30430603 551d1f04 3c303a30
38a036a0 34863268 7474703a 2f2f7777 772e6369 73636f2e 636f6d2f 73656375
72697479 2f706b69 2f63726c 2f637263 61323034 382e6372 6c305006 082b0601
05050701 01044430 42304006 082b0601 05050730 02863468 7474703a 2f2f7777
772e6369 73636f2e 636f6d2f 73656375 72697479 2f706b69 2f636572 74732f63
72636132 3034382e 63657230 5c060355 1d200455 30533051 060a2b06 01040109
15010200 30433041 06082b06 01050507 02011635 68747470 3a2f2f77 77772e63
6973636f 2e636f6d 2f736563 75726974 792f706b 692f706f 6c696369 65732f69
6e646578 2e68746d 6c305e06 03551d25 04573055 06082b06 01050507 03010608
2b060105 05070302 06082b06 01050507 03050608 2b060105 05070306 06082b06
01050507 0307060a 2b060104 0182370a 0301060a 2b060104 01823714 02010609
2b060104 01823715 06300d06 092a8648 86f70d01 01050500 03820101 0030f330
2d8cf2ca 374a6499 24290af2 86aa42d5 23e8a2ea 2b6f6923 7a828e1c 4c09cfa4
4fab842f 37e96560 d19ac6d8 f30bf5de d027005c 6f1d91bd d14e5851 1dc9e3f7
38e7d30b d168be8e 22a54b06 e1e6a4aa 337d1a75 ba26f370 c66100a5 c379265b
a719d193 8dab9b10 11291fa1 82fdfd3c 4b6e65dc 934505e9 af336b67 23070686
22daebdc 87cf5921 421ae9cf 707588e0 243d5d7d 4e963880 97d56ff0 9b71d8ba
6019a5b0 6186addd 6566f6b9 27a2ee2f 619bbaa1 3061fdbe ac3514f9 b82d9706
afc3ef6d cc3d3ceb 95e981d3 8a5eb6ce fa79a46b d7a25764 c43f4cc9 dbe882ec
0166d410 88a256e5 3c57ede9 02a84891 6307ab61 264b1a13 9fe4dcda 5f
quit
crypto ca certificate chain _internal_asdm_CTL_File_SAST_0
certificate 4a8a0049
3082020d 30820176 a0030201 0202044a 8a004930 0d06092a 864886f7 0d010104
0500304b 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504
0b130353 54473127 30250603 55040314 1e5f696e 7465726e 616c5f61 73646d5f
43544c5f 46696c65 5f534153 545f3030 1e170d30 38313032 33313432 3933305a
170d3138 31303231 31343239 33305a30 4b311230 10060355 040a1309 43697363
6f20496e 63310c30 0a060355 040b1303 53544731 27302506 03550403 141e5f69
6e746572 6e616c5f 6173646d 5f43544c 5f46696c 655f5341 53545f30 30819f30
0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00e1d627 e39aa7a5
763b9c01 ae255c39 65653a5c 587bb8ea d2912a04 423ff74e d0da1370 6204409e
685cdc0d f0fcc694 068d1edb 2a380e90 a0d971d3 e8083c18 5e6547e3 b6ee5ca7
fcd97a50 97086ee5 bd0572e8 e9ccfb33 59abc362 67352996 fe9d3601 be117c55
f6561452 1917b7c8 7e0eddfa ec5aab2d c26be40f 1a839f4d 95020301 0001300d
06092a86 4886f70d 01010405 00038181 00660441 7c5f1fb6 0520e2b3 e5ad19ef
afdedfd0 a8bc625f 71070625 2c88a686 24e14329 0b006ade f42b0e78 6b48b486
f24369bd 9f321e51 e5994329 746ed332 83c5c93f 55ab0c20 91172749 fadac1a2
3f90c666 929de154 3d745ddd cf396b08 079210ab 119e1147 0eef6163 5d893fb2
221e480f 8d41a6a4 cc805dd4 33bd7515 ea
quit
crypto ca certificate chain _internal_asdm_CTL_File_SAST_1
certificate 4a8a0049
3082020d 30820176 a0030201 0202044a 8a004930 0d06092a 864886f7 0d010104
0500304b 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504
0b130353 54473127 30250603 55040314 1e5f696e 7465726e 616c5f61 73646d5f
43544c5f 46696c65 5f534153 545f3130 1e170d30 38313032 33313432 3933305a
170d3138 31303231 31343239 33305a30 4b311230 10060355 040a1309 43697363
6f20496e 63310c30 0a060355 040b1303 53544731 27302506 03550403 141e5f69
6e746572 6e616c5f 6173646d 5f43544c 5f46696c 655f5341 53545f31 30819f30
0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00cb60f5 4f7d0c90
88d5985d f064e31b fd9ee5bf 3a2931eb 4921d737 dba095a1 5add4ff4 c80f79cd
837ca912 e3113bf9 b798539e 0cbf779c d0752030 6947c8b2 81994888 6519a3f7
222574e8 54b1a637 b4afb384 a5c04ebf 263c228f 972d2392 f4c33b6e aaaa9551
9409946d fab9a839 6d5341e3 eb104633 4de5ac40 64be7299 dd020301 0001300d
06092a86 4886f70d 01010405 00038181 0061d951 87641eb2 0c1b7ba0 0732cab7
6ddc9c29 870f1519 cb7a5184 6200373a 37ab89c1 6c91af1f 58622817 bab490c3
93b6928f 09e07da6 3aa25a84 4bed7e31 80b8fe93 730b48e5 a3db2eaf 1fc7889c
a773a4c3 768730ca 82de2f48 acee0542 034fa429 1641a6e5 3fa10e30 6490ed39
e54e2879 e4503352 772b28be 2d22a9d5 20
quit
crypto ca certificate chain _internal_PP_asdm_CTL_File
certificate 4a8a0049
30820205 3082016e a0030201 0202044a 8a004930 0d06092a 864886f7 0d010104
05003047 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504
0b130353 54473123 30210603 55040314 1a5f696e 7465726e 616c5f50 505f6173
646d5f43 544c5f46 696c6530 1e170d30 38313032 33313432 3933305a 170d3138
31303231 31343239 33305a30 47311230 10060355 040a1309 43697363 6f20496e
63310c30 0a060355 040b1303 53544731 23302106 03550403 141a5f69 6e746572
6e616c5f 50505f61 73646d5f 43544c5f 46696c65 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00bbc613 3cf9e529 0638657e c7fd5232
a105c160 57833f7b 3854df66 b9715562 26a26329 7a436c18 5c58a676 d41a450f
a6e60496 fceabbf5 74c7a087 c2682284 3c460ff7 33e21da1 781b4fc9 6d45c58c
ced3b5f7 8235ea34 c6b54a7c b5d1fc3b 933567bd a4efe939 63920cfa 68ab2a8f
69867ea5 32e98bac ae17ca2d 5871d200 49020301 0001300d 06092a86 4886f70d
01010405 00038181 0053394c d9a327ed 53bb8855 85be2fb3 85eb74fa ca5fa653
87dcb929 71bc89ea 773bd84c 0f7c6074 91452a5d 728968ac 67f0d60e b013f4bb
9e291c71 1a045e74 641a4c81 58a0461d 5b98419f e8acbe12 678c881a a32d6fd4
5aae9fe8 ae594d3e e8883075 08b1bd29 8d366a73 b624ec7b cd31ee29 13d3442d
d3c159f5 7d29cd1b 1f
quit
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd address 10.10.10.3-10.10.10.100 inside
dhcpd enable inside
!
!
tls-proxy ASA-tls-proxy
server trust-point _internal_PP_asdm_CTL_File
ctl-file asdm_CTL_File
record-entry capf trustpoint capf_trustpoint address 10.26.100.2
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 10.26.100.2
no shutdown
!
phone-proxy asdm_phone-proxy
media-termination address 10.26.100.3
tftp-server address 192.168.1.3 interface DMZ
tls-proxy ASA-tls-proxy
cipc security-mode authenticated
ctl-file asdm_CTL_File
no disable service-settings
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username kredmon password Fs51/8dl.5y0ZmCb encrypted privilege 15
!
class-map sec_sip
match port tcp eq 5061
class-map sec_sccp
match port tcp eq 2443
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map voice_policy
class sec_sip
inspect sip phone-proxy asdm_phone-proxy
class sec_sccp
inspect skinny phone-proxy asdm_phone-proxy
!
service-policy global_policy global
service-policy voice_policy interface PhoneProxy
prompt hostname context
Cryptochecksum:87e4d19d1d551bb6342375851e0a9163
: end
Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here: Cisco.com ASA 8.0 Configuration guide - Phone Proxy feature ASA Phone Proxy sample configuration in 8.0 ASA Phone Proxy Troubleshooting and Common Problems