Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

IP Phone VPN basic configuration example

Software used on this example:

> CUCM version:

>ASA 5505: 8.4(2) with correct license:

    ciscoasa# show version | i AnyConnect for Cisco VPN Phone

    AnyConnect for Cisco VPN Phone    : Enabled        perpetual


> CP-7945G with firmware SCCP45.9-2-1S



Setup the ASA for basic connectivity:

ASA starting with no configuration at all.

Assign IP address to outside interface:

interface Vlan1

nameif outside

security-level 100

ip address

Assign IP address to inside interface:

interface Vlan210

nameif inside

security-level 100

ip address

Configure same-security-traffic permit inter-interface to allowed the ASA to transmit traffic between interfaces with the same security-level (This depends on what the customer has already configured for connectivity):

ciscoasa(config)# same-security-traffic permit inter-interface

Configure static route (lab purpose only):

ciscoasa(config)# route inside 1

Assign vlan to inside interface (This depends on what the customer has already configured):

interface Ethernet0/0

switchport access vlan 210


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


This is for lab only purposes, the ASA should not provide IP addresses for outside devices, the local device at user’s home should do so (DSL modem, etc).

DHCP server commands:

dhcpd address outside

dhcpd enable outside

Generate self-signed certificate:

ciscoasa# configure terminal

ciscoasa(config)#crypto key generate rsa label modulus 1024

WARNING: You have a RSA keypair already defined named

Do you really want to replace them? [yes/no]: yes

Keypair generation process begin. Please wait...


Create trustpoint and associate keypair to generated self-signed certificate:

ciscoasa(config)# crypto ca trustpoint

ciscoasa(config-ca-trustpoint)# enrollment self

ciscoasa(config-ca-trustpoint)# fqdn none

ciscoasa(config-ca-trustpoint)# subject-name CN=

ciscoasa(config-ca-trustpoint)#  keypair

ciscoasa(config)# crypto ca enroll

% The fully-qualified domain name will not be included in the certificate

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes


Export self-signed certificate:

ciscoasa(config)# crypto ca export identity-certificate

The PEM encoded identity certificate follows:













Copy the text from the terminal and save it as a .pem file and upload it to the Certificate Management part of the CUCM. Copy also the  “BEGIN CERTIFICATE” and “END CERTIFICATE” lines.

ASA Certificate Upload :

Upload ASA self-signed certificate to CUCM:

Go to Cisco Unified Operating System Administration > Security > Certificate Management > Upload Certificate/Certificate Chain


Download CUCM Certificates:

Download CUCM certificates and save them:

The certificates will be the CallManager.pem, the CAPF.pem and the Cisco_Manufaturing_CA.pem.

Upload CUCM Certificates to the ASA:

Create trustpoints for the CUCM certificates (do the same for the CAPF.pem and the Cisco_Manufaturing_CA.pem):

ciscoasa(config)# crypto ca trustpoint CallManager.pem

ciscoasa(config-ca-trustpoint)# enrollment terminal

ciscoasa(config)# crypto ca authenticate CallManager.pem

Enter the base 64 encoded CA certificate.

End with the word "quit" on a line by itself



















INFO: Certificate has the following attributes:

Fingerprint:     568123ea 9723a59d aa6e1857 32cd4950

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported


ASA WebVPN configuration:

Create DHCP pool for devices launching VPN connections:

ip local pool Webvpn_POOL mask

Associate trust-point to outside interface:

ssl trust-point outside

Enable WebVPN feature:


enable outside

enable inside


anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect enable

Create Group-Policy:

group-policy GroupPhoneWebvpn internal

group-policy GroupPhoneWebvpn attributes

banner none

vpn-simultaneous-logins 10

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

default-domain value

address-pools value Webvpn_POOL


anyconnect ssl dtls enable

anyconnect keep-installer installed

anyconnect ssl keepalive 120

anyconnect ssl rekey time 4

anyconnect ssl rekey method new-tunnel

anyconnect dpd-interval client none

anyconnect dpd-interval gateway 300

anyconnect ssl compression deflate

anyconnect ask none default webvpn

Create user name and password for authentication aaa local:

username cisco password 12345

username cisco attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

Create user name and password for authentication certificate plus password:

username CP-7945G-SEP00235E1868AF password 12345

username CP-7945G-SEP00235E1868AF attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

Create Tunnel-Group for authentication aaa local:

tunnel-group VPNphone type remote-access

tunnel-group VPNphone general-attributes

address-pool Webvpn_POOL

default-group-policy GroupPhoneWebvpn

tunnel-group VPNphone webvpn-attributes

group-url enable

Create Tunnel-Group for authentication certificate plus password:

tunnel-group CertPassTunnelGroup type remote-access

tunnel-group CertPassTunnelGroup general-attributes

authorization-server-group LOCAL

default-group-policy GroupPhoneWebvpn

username-from-certificate CN

tunnel-group CertPassTunnelGroup webvpn-attributes

authentication aaa certificate

pre-fill-username ssl-client

group-url enable

Create Tunnel-Group for certificate only authentication:

tunnel-group CertOnlyTunnelGroup type remote-access

tunnel-group CertOnlyTunnelGroup general-attributes

default-group-policy GroupPhoneWebvpn

tunnel-group CertOnlyTunnelGroup webvpn-attributes

authentication certificate

group-url enable

Configure the VPN Gateways:

Add VPN Gateway for Username and Password authentication:

Go to Advanced Features> VPN > VPN Gateway


Create a VPN Group using the VPN Gateways:

Add VPN Group and associate the previously created VPN gateway to it:

Go to Advanced Features > VPN > VPN Group


Create a VPN Profile:

Go to Advanced Features > VPN > VPN Profile

Auto detection:

If enabled, the VPN client will only be able to run if it detects that it is out of the corporate network.

Enable Host ID Check:

If enabled, the VPN gateway's certificate's subjectAltName or CN must match the URL that the VPN Client has connected to.

Enable Password Persistence:

If enabled, a user's password will be saved in the phone until a failed login or a user clears it.


Assign a VPN Group and Profile in the Phone Common Profile:

Associate VPN Group and Profile to the Phone Common Profile:

Go to Device > Device Settings > Common Phone Profile


Assign Phone Common Profile to IP Phone:

Associate Phone Common Profile to IP Phone:

Go to Device > Phone

Related information:

Useful links:

Version history
Revision #:
1 of 1
Last update:
‎12-16-2011 01:25 PM
Updated by:
Labels (1)
New Member

Good document meneses, but I think we should specify that when selecting "certificate" as client authentication method, 3 certificates from the callmanager shoulld be uploaded into the ASA.

CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for mixed-mode clusters)

Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate (MIC).

CAPF - Authenticating IP phones with an LSC.

if not, users will get "authetiction failed", when selecting phone VPN feature.