Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 17-1 Cisco ASA Series Firewall ASDM Configuration Guide 17 Configuring the Cisco Phone Proxy This chapter describes how to configure the ASA for Cisco Phone Proxy feature. This chapter includes the following sections: Information About the Cisco Phone Proxy, page 17-1 Licensing Requirements for the Phone Proxy, page 17-4 Prerequisites for the Phone Proxy, page 17-6 Phone Proxy Guidelines and Limitations, page 17-12 Configuring the Phone Proxy, page 17-14 Feature History for the Phone Proxy, page 17-22 Information About the Cisco Phone Proxy The Cisco Phone Proxy on the ASA bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. Phone Proxy Functionality Telecommuters can connect their IP phones to the corporate IP telephony network over the Internet securely via the phone proxy without the need to connect over a VPN tunnel as illustrated by Figure 17-1.
17-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figure 17-1 Phone Proxy Secure Deployment The phone proxy supports a Cisco UCM cluster in mixed mode or nonsecure mode. Regardless of the cluster mode, the remote phones that are capable of encryption are always forced to be in encrypted mode. TLS (signaling) and SRTP (media) are always terminated on the ASA. The ASA can also perform NAT, open pinholes for the media, and apply inspection policies for the SCCP and SIP protocols. In a nonsecure cluster mode or a mixed mode where the phones are configured as nonsecure, the phone proxy behaves in the following ways: The TLS connections from the phones are terminated on the ASA and a TCP connection is initiated to the Cisco UCM. SRTP sent from external IP phones to the internal network IP phone via the ASA is converted to RT P. In a mixed mode cluster where the internal IP phones are configured as authenticated, the TLS connection is not converted to TCP to the Cisco UCM but the SRTP is converted to RTP. In a mixed mode cluster where the internal IP phone is configured as encrypted, the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone. Since the main purpose of the phone proxy is to make the phone behave securely while making calls to a nonsecure cluster, the phone proxy performs the following major functions: Creates the certificate trust list (CTL) file, which is used to perform certificate based authentication with remote phones. Modifies the IP phone configuration file when it is requested via TFTP, changes security fields from nonsecure to secure, and signs all files sent to the phone. These modifications secure remote phones by forcing the phones to perform encrypted signaling and media. Terminates TLS signaling from the phone and initiates TCP or TLS to Cisco UCM Inserts itself into the media path by modifying the Skinny and SIP signaling messages. Terminates SRTP and initiates RTP/SRTP to the called party. 271631 Internet ASA Internal IP phone IP IP Remote IP phone IP Remote IP phone MM M MM TLS/SRTP TCP/RTP Unencrypted signaling Encrypted signaling Un-trusted / Outside / Secured Trusted / Inside / Un-Secured Enterprise Home Router w/NAT Home Router w/NAT
17-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy NoteAs an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC. Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA. See also the Cisco Unified Communications Manager Security Guide for information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC). Supported Cisco UCM and IP Phones for the Phone Proxy Cisco Unified Communications Manager The following release of the Cisco Unified Communications Manager are supported with the phone proxy: Cisco Unified CallManager Version 4.x Cisco Unified CallManager Version 5.0 Cisco Unified CallManager Version 5.1 Cisco Unified Communications Manager 6.1 Cisco Unified Communications Manager 7.0 Cisco Unified Communications Manager 8.0 Cisco Unified IP Phones The phone proxy supports these IP phone features: Enterprise features like conference calls on remote phones connected through the phone proxy XML services The following IP phones in the Cisco Unified IP Phones 7900 Series are supported with the phone proxy: Cisco Unified IP Phone 7975 Cisco Unified IP Phone 7971 Cisco Unified IP Phone 7970 Cisco Unified IP Phone 7965 Cisco Unified IP Phone 7962 Cisco Unified IP Phone 7961 Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7960 (SCCP protocol support only) Cisco Unified IP Phone 7945 Cisco Unified IP Phone 7942 Cisco Unified IP Phone 7941
17-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7940 (SCCP protocol support only) Cisco Unified Wireless IP Phone 7921 Cisco Unified Wireless IP Phone 7925 NoteTo support Cisco Unified Wireless IP Phone 7925, you must also configure MIC or LSC on the IP phone so that it properly works with the phone proxy. CIPC for softphones ( CIPC versions with Authenticated mode only) NoteThe Cisco IP Communicator is supported with the phone proxy VLAN Traversal in authenticated TLS mode. We do not recommend it for remote access because SRTP/TLS is not supported currently on the Cisco IP Communicator. NoteThe ASA supports inspection of traffic from Cisco IP Phones running SCCP protocol version 19 and earlier. Licensing Requirements for the Phone Proxy The Cisco Phone Proxy feature supported by the ASA require a Unified Communications Proxy license. The following table shows the Unified Communications Proxy license details by platform: NoteThis feature is not available on No Payload Encryption models. Model License Requirement 1 ASA 5505 Base License and Security Plus License: 2 sessions. Optional license: 24 sessions. ASA 5510 Base License and Security Plus License: 2 sessions. Optional licenses: 24, 50, or 100 sessions. ASA 5520 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5540 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5550 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2
17-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-20, -40, or -60Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 ASA SM Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 1. The following applications use TLS proxy sessions for their connections. Each TLS proxy session used by these applications (and only these applications) is counted against the UC license limit: - Phone Proxy - Presence Federation Proxy - Encrypted Voice Inspection Other applications that use TLS proxy sessions do not count towards the UC limit, for example, Mobility Advantage Proxy (which does not require a license) and IME (which requires a separate IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used. You independently set the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. When you apply a UC license that is higher than the default TLS proxy limit, the security appliance automatically sets the TLS proxy limit to match the UC limit. The TLS proxy limit takes precedence over the UC license limit; if you set the TLS proxy limit to be less than the UC license, then you cannot use all of the sessions in your UC license. Note: For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. Note: If you clear the configuration, then the TLS proxy limit is set to the default for your model; if this default is lower than the UC license limit, then you see an error message to use the to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover and use File > Save Running Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear configure all command is generated on the secondary unit automatically, so you may see the warning message on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning. You might also use SRTP encryption sessions for your connections: - For K8 licenses, SRTP sessions are limited to 250. - For K9 licenses, there is not limit. Note: Only calls that require encryption/decryption for media are counted towards the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count towards the limit. 2. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Model License Requirement1
17-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more information about licensing, see Chapter 5, “Managing Feature Licenses for Cisco ASA Version 7.1.” in the general operations configuration guide. Prerequisites for the Phone Proxy This section contains the following topics: Media Termination Instance Prerequisites, page 17-6 Certificates from the Cisco UCM, page 17-7 DNS Lookup Prerequisites, page 17-7 Cisco Unified Communications Manager Prerequisites, page 17-7 ACL Rules, page 17-7 NAT and PAT Prerequisites, page 17-8 Prerequisites for IP Phones on Multiple Interfaces, page 17-9 7960 and 7940 IP Phones Support, page 17-9 Cisco IP Communicator Prerequisites, page 17-10 Prerequisites for Rate Limiting TFTP Requests, page 17-10 End-User Phone Provisioning, page 17-11 Media Termination Instance Prerequisites The ASA must have a media termination instance that meets the following criteria: You must configure one media termination for each phone proxy on the ASA. Multiple media termination instances on the ASA are not supported. For the media termination instance, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time. If you configure a media termination address for multiple interfaces, you must configure an address on each interface that the ASA uses when communicating with IP phones. For example, if you had three interfaces on the ASA (one internal interface and two external interfaces) and only one of the external interfaces were used to communicate with IP phones, you would configure two media termination addresses: one on the internal interface and one on the external interface that communicated with the IP phones. Only one media-termination address can be configured per interface. The IP addresses are publicly routable addresses that are unused IP addresses within the address range on that interface. The IP address on an interface cannot be the same address as that interface on the ASA. The IP addresses cannot overlap with existing static NAT pools or NAT rules. The IP addresses cannot be the same as the Cisco UCM or TFTP server IP address.
17-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy For IP phones behind a router or gateway, you must also meet this prerequisite. On the router or gateway, add routes to the media termination address on the ASA interface that the IP phones communicate with so that the phone can reach the media termination address. Certificates from the Cisco UCM Import the following certificates which are stored on the Cisco UCM. These certificates are required by the ASA for the phone proxy. Cisco_Manufacturing_CA CAP-RTP-001 CAP-RTP-002 CAPF certificate (Optional) If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA. NoteYou can configure LSC provisioning for additional end-user authentication. See the Cisco Unified Communications Manager configuration guide for information. For example, the CA Manufacturer certificate is required by the phone proxy to validate the IP phone certificate. DNS Lookup Prerequisites If you have an fully qualified domain name (FQDN) configured for the Cisco UCM rather than an IP address, you must configure and enable DNS lookup on the ASA. After configuring the DNS lookup, make sure that the ASA can ping the Cisco UCM with the configured FQDN. You must configure DNS lookup when you have a CAPF service enabled and the Cisco UCM is not running on the Publisher but the Publisher is configured with a FQDN instead of an IP address. Cisco Unified Communications Manager Prerequisites The TFTP server must reside on the same interface as the Cisco UCM. The Cisco UCM can be on a private network on the inside but you need to have a static mapping for the Cisco UCM on the ASA to a public routable address. If NAT is required for Cisco UCM, it must be configured on the ASA, not on the existing firewall. ACL Rules If the phone proxy is deployed behind an existing firewall, access-list rules to permit signaling, TFTP requests, and media traffic to the phone proxy must be configured.
17-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy If NAT is configured for the TFTP server or Cisco UCMs, the translated “global” address must be used in the ACLs. Table 17-1 lists the ports that are required to be configured on the existing firewall: NoteAll these ports are configurable on the Cisco UCM, except for TFTP. These are the default values and should be modified if they are modified on the Cisco UCM. For example, 3804 is the default port for the CAPF Service. This default value should be modified if it is modified on the Cisco UCM. NAT and PAT Prerequisites NAT Prerequisites If NAT is configured for the TFTP server, the NAT configuration must be configured prior to configuring the TFTP Server for the phone proxy. If NAT is configured for the TFTP server or Cisco UCMs, the translated “global” address must be used in the ACLs. PAT Prerequisites When the Skinny inspection global port is configured to use a non-default port, then you must configure the nonsecure port as the global_sccp_port+443. Therefore, if global_sccp_port is 7000, then the global secure SCCP port is 7443. Reconfiguring the port might be necessary when the phone proxy deployment has more than one Cisco UCM and they must share the interface IP address or a global IP address. NoteBoth PAT configurations—for the nonsecure and secure ports—must be configured. When the IP phones must contact the CAPF on the Cisco UCM and the Cisco UCM is configured with static PAT (LCS provisioning is required), you must configure static PAT for the default CAPF port 3804. Table 17-1 Port Configuration Requirements Address Port Protocol Description Media Termination 1024-65535 UDP Allow incoming SRTP TFTP Server 69 UDP Allow incoming TFTP Cisco UCM 2443 TCP Allow incoming secure SCCP Cisco UCM 5061 TCP Allow incoming secure SIP CAPF Service (on Cisco UCM)3804 TCP Allow CAPF service for LSC provisioning
17-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Prerequisites for IP Phones on Multiple Interfaces When IP phones reside on multiple interfaces, the phone proxy configuration must have the correct IP address set for the Cisco UCM in the CTL file. See the following example topology for information about how to correctly set the IP address: phones --- (dmz)-----| |----- ASA PP --- (outside Internet) --- phones phones --- (inside)--| In this example topology, the following IP address are set: Cisco UCM on the inside interface is set to 10.0.0.5 The DMZ network is 192.168.1.0/24 The inside network is 10.0.0.0/24 The Cisco UCM is mapped with different global IP addresses from DMZ > outside and inside interfaces > outside interface. In the CTL file, the Cisco UCM must have two entries because of the two different IP addresses. For example, if the static statements for the Cisco UCM are as follows: object network obj-10.0.0.5-01 host 10.0.0.5 nat (inside,outside) static 209.165.202.129 object network obj-10.0.0.5-02 host 10.0.0.5 nat (inside,dmz) static 198.168.1.2 There must be two CTL file record entries for the Cisco UCM: record-entry cucm trustpoint cucm_in_to_out address 209.165.202.129 record-entry cucm trustpoint cucm_in_to_dmz address 192.168.1.2 7960 and 7940 IP Phones Support An LSC must be installed on these IP phones because they do not come pre installed with a MIC. Install the LSC on each phone before using them with the phone proxy to avoid opening the nonsecure SCCP port for the IP phones to register in nonsecure mode with the Cisco UCM. See the following document for the steps to install an LSC on IP phones: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secucapf.html#w p1093518 NoteIf an IP phone already has an LSC installed on it from a different Cisco UCM cluster, delete the LSC from the different cluster and install an LSC from the current Cisco UCM cluster. NoteYou can configure LSC provisioning for additional end-user authentication. See the Cisco Unified Communications Manager configuration guide for information. The CAPF certificate must be imported onto the ASA. The CTL file created on the ASA must be created with a CAPF record-entry.
17-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy The phone must be configured to use only the SCCP protocol because the SIP protocol does not support encryption on these IP phones. If LSC provisioning is done via the phone proxy, you must add an ACL to allow the IP phones to register with the Cisco UCM on the nonsecure port 2000. Cisco IP Communicator Prerequisites To configure Cisco IP Communicator (CIPC) with the phone proxy, you must meet the following prerequisites: Go to Configuration > Firewall > Unified Communications > Phone Proxy and select the “Enable CICP security mode authentication” check box under the Call Manager and Phone Settings area. Create an ACL to allow CIPC to register with the Cisco UCM in nonsecure mode. Configure null-sha1 as one of the SSL encryption ciphers. Current versions of Cisco IP Communicator (CIPC) support authenticated mode and perform TLS signaling but not voice encryption. Because CIPC requires an LSC to perform the TLS handshake, CIPC needs to register with the Cisco UCM in nonsecure mode using cleartext signaling. To allow the CIPC to register, create an ACL that allows the CIPC to connect to the Cisco UCM on the nonsecure SIP/SCCP signalling ports (5060/2000). NoteYou can configure LSC provisioning for additional end-user authentication. See the Cisco Unified Communications Manager configuration guide for information. CIPC uses a different cipher when doing the TLS handshake and requires the null-sha1 cipher and SSL encryption be configured. To add the null-shal cipher, use the show run all ssl command to see the output for the ssl encryption command and add null-shal to the end of the SSL encryption list. NoteWhen used with CIPC, the phone proxy does not support end-users resetting their device name in CIPC (Preferences > Network tab > Use this Device Name field) or Administrators resetting the device name in Cisco Unified CM Administration console (Device menu > Phone Configuration > Device Name field). To function with the phone proxy, the CIPC configuration file must be in the format: SEP.cnf.xml. If the device name does not follow this format (SEP), CIPC cannot retrieve its configuration file from Cisco UMC via the phone proxy and CIPC will not function. Prerequisites for Rate Limiting TFTP Requests In a remote access scenario, we recommend that you configure rate limiting of TFTP requests because any IP phone connecting through the Internet is allowed to send TFTP requests to the TFTP server. To configure rate limiting of TFTP requests, configure the police command in the Modular Policy Framework. See the command reference for information about using the police command. Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic flow can take over the entire resource. When traffic exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic allowed.