Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy NoteIf NAT is configured for the TFTP server, the NAT configuration must be configured prior to specifying the TFTP server while creating the Phone Proxy instance. Step 4In the TFTP Server IP Address field, specify the address of the TFTP server. Create the TFTP server using the actual internal IP address. Step 5(Optional) In the Port field, specify the port the TFTP server is listening in on for the TFTP requests. This should be configured if it is not the default TFTP port 69. Step 6In the Interface field, specify the interface on which the TFTP server resides. The TFTP server must reside on the same interface as the Cisco Unified Call Manager (CUCM). Step 7Click OK to apply the settings. Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy When IP phones are behind a NAT-capable router, the router can be configured to forward the UDP ports to the IP address of the IP phone. Specifically, configure the router for UDP port forwarding when an IP phone is failing during TFTP requests and the failure is due to the router dropping incoming TFTP data packets. Configure the router to enable UDP port forwarding on port 69 to the IP phone. As an alternative of explicit UDP forwarding, some Cable/DSL routers require you to designate the IP phone as a DMZ host. For Cable/DSL routers, this host is a special host that receives all incoming connections from the public network. When configuring the phone proxy, there is no functional difference between an IP phone that has UDP ports explicitly forwarded or an IP phone designated as a DMZ host. The choice is entirely dependent upon the capabilities and preference of the end user. Configuring Your Router Your firewall/router needs to be configured to forward a range of UDP ports to the IP phone. This will allow the IP phone to receive audio when you make/receive calls. NoteDifferent Cable/DSL routers have different procedures for this configuration. Furthermore most NAT-capable routers will only allow a given port range to be forwarded to a single IP address The configuration of each brand/model of firewall/router is different, but the task is the same. For specific instructions for your brand and model of router, please contact the manufacturer’s website. Linksys Routers Step 1From your web browser, connect to the router administrative web page. For Linksys, this is typically something like http://192.168.1.1. Step 2Click Applications & Gaming or the Port Forwarding tab (whichever is present on your router). Step 3Locate the table containing the port forwarding data and add an entry containing the following values:
17-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 17 Configuring the Cisco Phone Proxy Feature History for the Phone Proxy Step 4Click Save Settings. Port forwarding is configured. Feature History for the Phone Proxy Table 17-3 lists the release history for this feature. Table 17-2 Port Forwarding Values to Add to Router Application Start End Protocol IP Address Enabled IP phone 1024 65535 UDPPhone IP addressChecked TFTP 69 69 UDPPhone IP addressChecked Table 17-3 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Phone Proxy 8.0(4) The phone proxy feature was introduced. The Phone Proxy feature was accessible in ASDM by choosing the following options: Configuration > Firewall > Advanced > Encrypted Traffic Inspection > Phone Proxy pane NAT for the media termination address 8.1(2) The Media Termination fields were removed from the Phone Proxy pane and added to the Media Termination pane: Configuration > Firewall > Advanced > Encrypted Traffic Inspection > Media Termination Address pane
CH A P T E R 18-1 Cisco ASA Series Firewall ASDM Configuration Guide 18 Configuring the TLS Proxy for Encrypted Voice Inspection This chapter describes how to configure the ASA for the TLS Proxy for Encrypted Voice Inspection feature. This chapter includes the following sections: Information about the TLS Proxy for Encrypted Voice Inspection, page 18-1 Licensing for the TLS Proxy, page 18-4 Prerequisites for the TLS Proxy for Encrypted Voice Inspection, page 18-6 Configuring the TLS Proxy for Encrypted Voice Inspection, page 18-6 Feature History for the TLS Proxy for Encrypted Voice Inspection, page 18-17 Information about the TLS Proxy for Encrypted Voice Inspection End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic, which can compromise access control and threat prevention security functions. This lack of visibility can result in a lack of interoperability between the firewall functions and the encrypted voice, leaving businesses unable to satisfy both of their key security requirements. The ASA is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM servers. Typically, the ASA TLS Proxy functionality is deployed in campus unified communications network. This solution is ideal for deployments that utilize end to end encryption and firewalls to protect Unified Communications Manager servers. The security appliance in Figure 18-1 serves as a proxy for both client and server, with Cisco IP Phone and Cisco UCM interaction.
18-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection Figure 18-1 TLS Proxy Flow Decryption and Inspection of Unified Communications Encrypted Signaling With encrypted voice inspection, the security appliance decrypts, inspects and modifies (as needed, for example, performing NAT fixup), and re-encrypts voice signaling traffic while all of the existing VoIP inspection functions for Skinny and SIP protocols are preserved. Once voice signaling is decrypted, the plaintext signaling message is passed to the existing inspection engines. The security appliance acts as a TLS proxy between the Cisco IP Phone and Cisco UCM. The proxy is transparent for the voice calls between the phone and theCisco UCM. Cisco IP Phones download a Certificate Trust List from the Cisco UCM before registration which contains identities (certificates) of the devices that the phone should trust, such as TFTP servers and Cisco UCM servers. To support server IPM Client Certificate Client Key Exchange Certificate Verify [Change Cipher Spec] Finished(Proxy) Server Hello (Proxy) Server Certificate (Proxy) Server Key Exchange Certificate Request (Proxy) Server Hello Done (Proxy) Client Hello (Proxy) Dynamic Client Certificate (Proxy) Client Key Exchange Certificate Verify [Change Cipher Spec] FinishedServer Hello Server Certificate Server Key Exchange Certificate Request Server Hello Done [Change Cipher Spec] Finished 182831 Cisco IP Phone Cisco ASA Cisco CallManager [Change Cipher Spec] Finished Application Data INSPECTION Application Data Client Hello
18-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs. To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority on the security appliance. TLS proxy is supported by the Cisco Unified CallManager Release 5.1 and later. You should be familiar with the security features of the Cisco UCM. For background and detailed description of Cisco UCM security, see the Cisco Unified CallManager document: http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/5_0/sec_vir/ae/sec504/index.htm TLS proxy applies to the encryption layer and must be configured with an application layer protocol inspection. You should be familiar with the inspection features on the ASA, especially Skinny and SIP inspection. Supported Cisco UCM and IP Phones for the TLS Proxy Cisco Unified Communications Manager The following releases of the Cisco Unified Communications Manager are supported with the TLS proxy: Cisco Unified CallManager Version 4.x Cisco Unified CallManager Version 5.0 Cisco Unified CallManager Version 5.1 Cisco Unified Communications Manager 6.1 Cisco Unified Communications Manager 7.0 Cisco Unified Communications Manager 8.0 Cisco Unified IP Phones The following IP phones in the Cisco Unified IP Phones 7900 Series are supported with the TLS proxy: Cisco Unified IP Phone 7985 Cisco Unified IP Phone 7975 Cisco Unified IP Phone 7971 Cisco Unified IP Phone 7970 Cisco Unified IP Phone 7965 Cisco Unified IP Phone 7962 Cisco Unified IP Phone 7961 Cisco Unified IP Phone 7961G-GE Cisco Unified IP Phone 7960 Cisco Unified IP Phone 7945 Cisco Unified IP Phone 7942 Cisco Unified IP Phone 7941 Cisco Unified IP Phone 7941G-GE Cisco Unified IP Phone 7940 Cisco Unified Wireless IP Phone 7921
18-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Cisco Unified Wireless IP Phone 7925 Cisco IP Communicator (CIPC) for softphones Licensing for the TLS Proxy The TLS proxy for encrypted voice inspection feature supported by the ASA require a Unified Communications Proxy license. The following table shows the Unified Communications Proxy license details by platform: NoteThis feature is not available on No Payload Encryption models. Model License Requirement 1 ASA 5505 Base License and Security Plus License: 2 sessions. Optional license: 24 sessions. ASA 5510 Base License and Security Plus License: 2 sessions. Optional licenses: 24, 50, or 100 sessions. ASA 5520 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5540 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5550 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions.
18-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Table 18-1 shows the default and maximum TLS session details by platform. For more information about licensing, see Chapter 5, “Managing Feature Licenses for Cisco ASA Version 7.1,” in the general operations configuration guide. ASA 5585-X with SSP-20, -40, or -60Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 ASA SM Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 1. The following applications use TLS proxy sessions for their connections. Each TLS proxy session used by these applications (and only these applications) is counted against the UC license limit: - Phone Proxy - Presence Federation Proxy - Encrypted Voice Inspection Other applications that use TLS proxy sessions do not count towards the UC limit, for example, Mobility Advantage Proxy (which does not require a license) and IME (which requires a separate IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used. You independently set the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. When you apply a UC license that is higher than the default TLS proxy limit, the security appliance automatically sets the TLS proxy limit to match the UC limit. The TLS proxy limit takes precedence over the UC license limit; if you set the TLS proxy limit to be less than the UC license, then you cannot use all of the sessions in your UC license. Note: For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. Note: If you clear the configuration, then the TLS proxy limit is set to the default for your model; if this default is lower than the UC license limit, then you see an error message to use the to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover and use File > Save Running Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear configure all command is generated on the secondary unit automatically, so you may see the warning message on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning. You might also use SRTP encryption sessions for your connections: - For K8 licenses, SRTP sessions are limited to 250. - For K9 licenses, there is not limit. Note: Only calls that require encryption/decryption for media are counted towards the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count towards the limit. 2. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Model License Requirement1 Table 18-1 Default and Maximum TLS Sessions on the Security Appliance Security Appliance Platform Default TLS Sessions Maximum TLS Sessions ASA 5505 10 80 ASA 5510 100 200 ASA 5520 300 1200 ASA 5540 1000 4500 ASA 5550 2000 4500 ASA 5580 4000 13,000
18-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Prerequisites for the TLS Proxy for Encrypted Voice Inspection Prerequisites for the TLS Proxy for Encrypted Voice Inspection Before configuring TLS proxy, the following prerequisites are required: You must set clock on the security appliance before configuring TLS proxy. To set the clock manually and display clock, use the clock set and show clock commands. We recommend that the security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS handshake may fail due to certificate validation failure if clock is out of sync between the security appliance and the Cisco Unified CallManager server. 3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default cipher used by the Cisco Unified CallManager and Cisco IP Phone. Import the following certificates which are stored on the Cisco UCM. These certificates are required by the ASA for the phone proxy. –Cisco_Manufacturing_CA –CAP-RTP-001 –CAP-RTP-002 –CAPF certificate (Optional) If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA. See Chapter 17, “Configuring the Cisco Phone Proxy.”For example, the CA Manufacturer certificate is required by the phone proxy to validate the IP phone certificate. Configuring the TLS Proxy for Encrypted Voice Inspection This section includes the following topics: Configure TLS Proxy Pane, page 18-8 Adding a TLS Proxy Instance, page 18-9 Add TLS Proxy Instance Wizard – Server Configuration, page 18-9 Add TLS Proxy Instance Wizard – Client Configuration, page 18-10 Add TLS Proxy Instance Wizard – Other Steps, page 18-12 Edit TLS Proxy Instance – Server Configuration, page 18-13 Edit TLS Proxy Instance – Client Configuration, page 18-14 CTL Provider Use the CTL Provider option to configure Certificate Trust List provider service. The CTL Provider pane lets you define and configure Certificate Trust List provider service to enable inspection of encrypted traffic. Fields CTL Provider Name—Lists the CTL Provider name.
18-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Client Details—Lists the name and IP address of the client. –Interface Name—Lists the defined interface name. –IP Address—Lists the defined interface IP address. Certificate Name—Lists the certificate to be exported. Add—Adds a CTL Provider. Edit—Edits a CTL Provider. Delete—Deletes a CTL Provider. Add/Edit CTL Provider The Add/Edit CTL Provider dialog box lets you define the parameters for the CTL Provider. Fields CTL Provider Name—Specifies the CTL Provider name. Certificate to be Exported—Specifies the certificate to be exported to the client. –Certificate Name—Specifies the name of the certificate to be exported to the client. –Manage—Manages identity certificates. Client Details—Specifies the clients allowed to connect. –Client to be Added—Specifies the client interface and IP address to add to the client list. Interface—Specifies client interface. IP Address—Specifies the client IP address. Add—Adds the new client to the client list. Delete—Deletes the selected client from the client list. More Options—Specifies the available and active algorithms to be announced or matched during the TLS handshake. –Parse the CTL file provided by the CTL Client and install trustpoints—Trustpoints installed by this option have names prefixed with “_internal_CTL_.” If disabled, each Call Manager server and CAPF certificate must be manually imported and installed. –Port Number—Specifies the port to which the CTL provider listens. The port must be the same as the one listened to by the CallManager servers in the cluster (as configured under Enterprise Parameters on the CallManager administration page). The default is 2444. –Authentication—Specifies the username and password that the client authenticates with the provider. Username—Client username. Password—Client password. Confirm Password—Client password.
18-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Configure TLS Proxy Pane NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2. You can configure the TLS Proxy from the Configuration > Firewall > Unified Communications > TLS Proxy pane. Configuring a TLS Proxy lets you use the TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and enable the ASA for the Cisco Unified Communications features: TLS Proxy for the Cisco Unified Presence Server (CUPS), part of Presence Federation TLS Proxy for the Cisco Unified Mobility Advantage (CUMA) server, part of Mobile Advantage Phone Proxy Fields TLS Proxy Name—Lists the TLS Proxy name. Server Proxy Certificate—Lists the trustpoint, which is either self-signed or enrolled with a certificate server. Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server dynamic certificates. Client Proxy Certificate—Lists the proxy certificate for the TLS client. The ASA uses the client proxy certificate to authenticate the TLS client during the handshake between the proxy and the TLS client. The certificate can be either self-signed, enrolled with a certificate authority, or issued by the third party. Add—Adds a TLS Proxy by launching the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance, page 18-9 for the steps to create a TLS Proxy instance. Edit—Edits a TLS Proxy. The fields in the Edit panel area identical to the fields displayed when you add a TLS Proxy instance. See Edit TLS Proxy Instance – Server Configuration, page 18-13 and Edit TLS Proxy Instance – Client Configuration, page 18-14. Delete—Deletes a TLS Proxy. Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support. –Specify the maximum number of TLS Proxy sessions that the ASA needs to support. –Maximum number of sessions—The minimum is 1. The maximum is dependent on the platform: Cisco ASA 5505 security appliance: 10 Cisco ASA 5510 security appliance: 100 Cisco ASA 5520 security appliance: 300 Cisco ASA 5540 security appliance: 1000 Cisco ASA 5550 security appliance: 2000 Cisco ASA 5580 security appliance: 4000 NoteThe maximum number of sessions is global to all TLS proxy sessions.