Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
16-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Step 1To configure the Cisco Intercompany Media Engine Proxy as part of a basic deployment, select the interface that connects to the local Cisco Unified Communications servers. Or To configure the Cisco Intercompany Media Engine Proxy as part of an off-path deployment, complete the following steps: a.From the Listening Interface drop-down list, choose the interface on which the ASA listens for the mapping requests. b.In the Port field, enter a number between 1024 and 65535 as the TCP port on which the ASA listens for the mapping requests. The port number must be 1024 or higher to avoid conflicts with other services on the device, such as Telnet or SSH. By default, the port number is TCP 8060. c.From the UC-IME Interface drop-down list, choose the interface that the ASA uses to connect to the remote ASA that is enabled with the Cisco Intercompany Media Engine Proxy. NoteIn a basic and an off-path deployment, all Cisco Unified Communications servers must be on the same interface. Step 2In the Unified CM Servers area, the wizard displays the private IP address, public IP address, and security mode of any Cisco Unified Communications server configured on the ASA. If necessary, click Add to add a Cisco Unified Communications server. You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine that has a SIP trunk enabled. Step 3In the Ticket Epoch field, enter a integer from 1-255. The epoch indicates the number of times that password has changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password. Typically, you increment the epoch sequentially; however, the security appliance allows you to choose any value when you update the epoch. If you change the epoch value, the current password is invalidated and you must enter a new password. Step 4In the Ticket Password field, enter a minimum of 10 and a maximum of 64 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character. The ticket password is stored onto flash. NoteWe recommend a password of at least 20 characters. Only one password can be configured at a time. The epoch and password that you configure on the ASA must match the epoch and password configured on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information. Step 5In the Confirm Password field, reenter the password. Step 6In the X.509 Subject Name field, enter the distinguished name (DN) of the local enterprise. The name that you enter must match the name configured for the Cisco Unified Communications servers in the cluster. See the Cisco Unified Communications server documentation for information. Step 7Click Next.
16-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine Proxy that has a SIP trunk enabled. Step 1Enter the private IP address and port number (in the range 5000-6000) for the Cisco UCM server. Step 2In the Address Translation area, enter the public IP address for the Cisco UCM server. Step 3If necessary, enter the port number for the public IP address by clicking the Translate address and port radio button and entering a number (in the range 5000-6000) in the Port field. Step 4In the Security Mode area, click the Secure or Non-secure radio button. Specifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS. If you specify that some of the Cisco UCM servers are operating in secure mode, the Unified Communications Wizard includes a step in the proxy configuration to generate certificates for the local-side communication between the ASA and that Cisco UCM server. See Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy, page 16-21. Step 5Click OK. Configuring the Public Network Settings for the Cisco Intercompany Media Engine Proxy The public network configuration depends on the deployment scenario you selected in the topology step of this wizard. Specifically, when you are configuring the UC-IME proxy as part of an off-path deployment, this step of the wizard displays fields for address translation, requiring that you specify the private IP address for the UC-IME proxy. Specifying this private IP address, translates IP addresses for inbound traffic. In an off-path deployment, any existing ASA that you have deployed in your environment are not capable of transmitting Cisco Intercompany Media Engine traffic. Therefore, off-path signaling requires that outside addresses translate to an inside (private) IP address. The inside interface address can be used for this mapping service configuration. For the Cisco Intercompany Media Engine Proxy, the ASA creates dynamic mappings for external addresses to the internal IP address. The values that you specify in this page generate the following configuration settings for the Cisco Intercompany Media Engine Proxy: Static PAT for the Cisco Unified Communications servers ACLs for traffic between the local and the remote servers Step 1In the Configure public network area, choose an interface from the Interface drop-down list. Step 2When configuring an off-path deployment, in the Address Translation area, specify whether to use the private IP address for the public network. Or Click the Specify IP address radio button and enter an IP address in the field. Step 3Click Next.
16-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard generates a self-signed certificate for the ASA. The server proxy certificate is automatically generated using the subject name provided in an earlier step of this wizard. The wizard supports using self-signed certificates only. A trusted relationship between the ASA and the Cisco UMA server can be established with self-signed certificates. The certificates are used by the security appliance and the Cisco UCMs to authenticate each other, respectively, during TLS handshakes. The ASAs identity certificate is exported, and then needs to be installed on each Cisco Unified Communications Manager (UCM) server in the cluster with the proxy and each identity certificate from the Cisco UCMs need to be installed on the security appliance. This step in the Unified Communications Wizard only appears when the UC-IME proxy that you are creating has at least one secure Cisco Unified Communications Manager server defined. See Configuring the Topology for the Cisco Intercompany Media Engine Proxy, page 16-17 for information. Step 1In the ASA’s Identity Certificate area, click Generate and Export ASA’s Identity Certificate. An information dialog boxes appear indicating that the enrollment seceded. In the Enrollment Status dialog box, click OK. The Export certificate dialog box appears. Note If an identity certificate for the ASA has already been created, the button in this area appears as Export ASA’s Identity Certificate and the Export certificate dialog box immediately appears. When using the wizard to configure the Cisco Intercompany Media Engine Proxy, the wizard only supports installing self-signed certificates. Step 2Export the identity certificate generated by the wizard for the ASA. See Exporting an Identity Certificate, page 16-23. Step 3In the Local Unified CM’s Certificate area, click Install Local Unified CM’s Certificate. The Install Certificate dialog appears. Step 4Locate the file containing the certificate from the Cisco Unified Communications Manager server or paste the certificate details in the dialog box. See Installing a Certificate, page 16-23. You must install the certificate from each Cisco Unified Communications Manager server in the cluster. Step 5Click Next. NoteSee the Cisco Intercompany Media Engine server documentation for information on how to export the certificate for this server.
16-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy Establishing a trust relationship cross enterprises or across administrative domains is key. Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with the FQDN of the Cisco Unified Communications Manager server (certificate impersonation). For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that enterprise, the entity and the ASA could authenticate each other via a local CA, or by using self-signed certificates. To establish a trusted relationship between the ASA and the remote entity, the ASA can enroll with the CA on behalf of the local enterprise. In the enrollment request, the local Cisco UCM identity (domain name) is used. To establish the trust relationship, the ASA enrolls with the third party CA by using the Cisco Unified Communications Manager server FQDN as if the security appliance is the Cisco UCM. NoteIf the ASA already has a signed identity certificate, you can skip Step 1 in this procedure and proceed directly to Step 3. Step 1In the ASA’s Identity Certificate area, click Generate CSR. The CSR parameters dialog box appears. For information about specifying additional parameters for the certificate signing request (CSR), see Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy, page 16-24. Information dialog boxes appear indicating that the wizard is delivering the settings to the ASA and retrieving the certificate key pair information. The Identity Certificate Request dialog box appears. For information about saving the CSR that was generated and submitting it to a CA, see Saving the Identity Certificate Request, page 16-25. Step 2In the ASA’s Identity Certificate area, click Install ASA’s Identity Certificate. Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers, page 16-26. Step 3In the Remote Server’s CA’s Certificate area, click Install Remote Server’s CA’s Certificate. Installing the root certificates of the CA for the remote servers is necessary so that the ASA can determine that the remote servers are trusted. The Install Certificate dialog box appears. Install the certificate. See Installing a Certificate, page 16-23. NoteYou must install the root certificates only when the root certificates for the remote servers are received from a CA other than the one that provided the identity certificate for the ASA Step 4Click Next. The wizard completes by displaying a summary of the configuration created for the Cisco Intercompany Media Engine.
16-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: Exporting an Identity Certificate, page 16-23 Installing a Certificate, page 16-23 Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy, page 16-24 Saving the Identity Certificate Request, page 16-25 Installing the ASA Identity Certificate on the Mobility Advantage Server, page 16-26 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers, page 16-26 Exporting an Identity Certificate The Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy require that you export the ASA identity certificate to install on the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications server, respectfully. You use the wizard to export a self-signed identity certificate. The identity certificate has all associated keys and is in PKCS12 format, which is the public key cryptography standard. When configuring a Unified Communications proxy by using the wizard, you click the Generate and Export ASA’s Identify Certificate button while in the local-side or server-side certificate management step of the wizard. The Export certificate dialog box appears. From the Export certificate dialog box, perform these steps: Step 1Enter the name of the PKCS12 format file to use in exporting the certificate configuration. Alternatively, click Browse to display the Export ID Certificate File dialog box to find the file to which you want to export the certificate configuration. Step 2Click Export Certificate to export the certificate configuration. An information dialog box appears informing you that the certificate configuration file has been successfully exported to the location that you specified. You complete the configuration of the Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy, you must import the generated ASA identify certificate in to the Cisco Mobility Advantage server, Cisco Presence Federation server, and Cisco Unified Communications server, respectfully, depending on which proxy you are configuring. See the documentation for the for each of these products for information about importing an identity certificate into each. Installing a Certificate When configuring certificates for the Phone Proxy, Cisco Mobility Advantage Proxy, the Cisco Presence Federation Proxy, and Cisco Intercompany Media Engine Proxy, you must install the certificates from the Cisco Unified Communications Manager servers, the Cisco Mobility Advantage server, the Cisco
16-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Presence Federation server, and the Cisco Unified Communications Manager servers, respectively, on the ASA. See the documentation for each of these products for information about obtaining the identity certificates from each. When configuring the Cisco Phone Proxy, if LSC provisioning is required or you have LSC enabled IP phones, you must install the CAPF certificate from the Cisco UCM on the ASA. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA. See Enabling Certificate Authority Proxy Function (CAPF) for IP Phones, page 16-8. Additionally, when configuring the Cisco Mobility Advantage Proxy, you use the Install Certificate dialog box to install the root certificate received from the certificate authority. The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the ASA to authenticate your signed identity certificate received from the certificate authority. NoteWhen using the wizard to configure the Unified Communications proxies, the wizard only supports installing self-signed certificates. From the Install Certificate dialog box, perform these steps: Step 1Perform one of the following actions: To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate. To enroll manually, click the Paste certificate in PEM format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided. Step 2Click Install Certificate. An information dialog box appears informing you that the certificate was installed on the ASA successfully. Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy When configuring certificates for the Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, or Cisco Intercompany Media Engine Proxy, you must generate and identity certificate request for the ASA. NoteIf the ASA already has a signed identity certificate, you do not need to generate a CSR and can proceed directly to installing this certificate on the ASA. See Installing the ASA Identity Certificate on the Mobility Advantage Server, page 16-26 and Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers, page 16-26 for the steps to install the identity certificate. The identify certificate that you receive is presented to the following entities for each of the Unified Communication Proxies: Unified Mobile Communicator clients for the Cisco Mobility Advantage Proxy
16-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Remote Presence Federation servers for the Cisco Presence Federation Proxy The remote ASAfor the Cisco Intercompany Media Engine Proxy Before generating the CSR, you can enter additional parameters. When configuring a Unified Communications proxy by using the wizard, you click the Generate CSR button while in the client-side or remote-side certificate management step of the wizard. The CSR Parameters dialog box appears. In the CSR Parameters dialog box, perform the following steps: Step 1From the Key Pair Size drop-down list, choose the size required for you certificate. The key size that you select depends on the level of security that you want to configure and on any limitations imposed by the CA from which you are obtaining the certificate. The larger the number that you select, the higher the security level will be for the certificate. Most CAs recommend 2048 for the key modulus size; however, GoDaddy requires a key modulus size of 2048. Step 2(Cisco Intercompany Media Engine Proxy only) In the CN field, enter the domain name used by your enterprise or network. The subject DN you configure for the Cisco Intercompany Media Engine Proxy must match the domain name that set in the local Cisco Unified Communications Manager server. NoteFor the Cisco Mobility Advantage Proxy and Cisco Presence Federation Proxy, the wizard provides the common name (CN), which is the FQDN of the Cisco Mobility Advantage server or Cisco Unified Presence server, respectively. Step 3In the Additional DN Attributes field, enter an attribute. Or Click Select to display the Additional DN Attributes dialog box. a.In the Additional DN Attributes dialog box, choose an attribute from the drop-down list. b.Enter a value for the attribute. c.Click Add. The attribute appears in the list. d.Click OK to return to the CSR Parameters dialog box. The value you added appears in the Additional DN Attributes field in the CSR Parameters dialog box. Step 4Click OK. Saving the Identity Certificate Request After successfully generating the identity certificate request for one of the Unified Communications proxies, the Identity Certificate Request dialog box appears and prompts you to save the request. Step 1In the Save CSR to File field, enter the CSR file name and path; for example, c:\asa-csr.txt. Step 2Click OK. An information dialog box appears indicating the CSR was saved successfully. Step 3Click OK to close the dialog and return to the wizard.
16-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Submit the CSR to the certificate authority (CA), for example, by pasting the CSR text into the CSR enrollment page on the CA website. When the CA returns the signed identity certificate, rerun the Unified Communications Wizard. From the client-side or remote-side certificate management step of the wizard, click Install ASA’s Identity Certificate. See Installing the ASA Identity Certificate on the Mobility Advantage Server, page 16-26 and Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers, page 16-26 for the steps to install the identity certificate. Installing the ASA Identity Certificate on the Mobility Advantage Server When configuring certificates for the Cisco Mobility Advantage Proxy, you must install the ASA identity certificate on the Cisco Mobility Advantage server. Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority’s certificate (referred to as the root certificate). However, some certificate authorities (for example, VeriSign) might also send you an intermediate certificate. The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the ASA to authenticate your signed identity certificate received from the certificate authority. If the certificate authority provided an intermediate certificate, you must enter the certificate text in the Intermediate Certificate (If Applicable) area of the Install ASA’s Identity Certificate dialog box. For the Cisco Mobility Advantage Proxy, you install the root certificate in another dialog box. See Installing a Certificate, page 16-23 for the steps to install the root certificate. Step 1In the Intermediate Certificate (If Applicable) area, perform on of the following actions: To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate. To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided. Step 2In the ASA’s Identity Certificate area, perform on of the following actions: To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate. To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided. Step 3Click Install Certificate. Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers When configuring certificates for the Cisco Presence Federation Proxy and Cisco Intercompany Media Engine Proxy, you must install the ASA identity certificate and the root certificate on the Cisco Presence Federation server and Cisco Intercompany Media Engine server, respectively.
16-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority’s certificate (referred to as the root certificate). The root certificate from the certificate authority is used to sign other certificates. The root certificate is used by the ASA to authenticate your signed identity certificate received from the certificate authority. Step 1In the Root CA’s Certificate area, perform on of the following actions: To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate. To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided. Step 2In the ASA’s Identity Certificate area, perform on of the following actions: To add a certificate configuration from an existing file, click the Install from a file radio button (this is the default setting). Enter the path and file name, or click Browse to search for the file. Then click Install Certificate. To enroll manually, click the Paste the certificate data in base-64 format radio button. Copy and paste the PEM format (base64 or hexadecimal) certificate into the area provided. Step 3Click Install Certificate.
16-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard