Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
21-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Figure 21-7 Example for Configuring NAT for a Deployment To configure auto NAT rules for the Cisco UCM server, perform the following steps: Local Cisco UCMs Local ASA Corporate Network Local Enterprise M IPIPIP 192.168.10.30 199.168.10.31 TLS TCP M 248905 Internet Configure NAT: 192.168.10.30 192.168.10.31 209.165.200.227 209.165.200.228 Outside Cisco UCM addresses 209.165.200.227 209.165.200.228 Command Purpose Step 1hostname(config)# object network name Examples: hostname(config)# object network ucm_real_192.168.10.30 hostname(config)# object network ucm_real_192.168.10.31Configures a network object for the real address of Cisco UCM that you want to translate. Step 2hostname(config-network-object)# host ip_address Examples: hostname(config-network-object)# host 192.168.10.30 hostname(config-network-object)# host 192.168.10.31Specifies the real IP address of the Cisco UCM host for the network object. Step 3(Optional) hostname(config-network-object)# description string Example: hostname(config-network-object)# description “Cisco UCM Real Address” Provides a description of the network object. Step 4hostname(config-network-object)# exitExits from the objects configuration mode. Step 5hostname(config)# object network name Example: hostname(config)# object network ucm_map_209.165.200.228Configures a network object for the mapped address of the Cisco UCM. Step 6hostname(config-network-object)# host ip_address Example: hostname(config-network-object)# host 209.165.200.228Specifies the mapped IP address of the Cisco UCM host for the network object. Step 7(Optional) hostname(config-network-object)# description string Example: hostname(config-network-object)# description “Cisco UCM Mapped Address” Provides a description of the network object.
21-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Create the ACLs for the Cisco Intercompany Media Engine Proxy. See Creating ACLs for Cisco Intercompany Media Engine Proxy, page 21-16. Configuring PAT for the Cisco UCM Server Perform this task as an alternative to configuring NAT for the Cisco Intercompany Media Engine Proxy. Figure 21-8 Example for Configuring PAT for a Deployment NoteYou only perform this step when NAT is not configured for the Cisco UCM server. To configure PAT for the Cisco UCM server, perform the following steps: Step 8hostname(config-network-object)# exitExits from the objects configuration mode. Step 9hostname(config)# nat (inside,outside) source static real_obj mapped_obj Examples: hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.30 ucm_209.165.200.228 hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.31 ucm_209.165.200.228Specifies the address translation on the network objects created in this procedure. Where real_obj is the name that you created in Step 1 in this task. Where mapped_obj is the name that you created in Step 5 in this task. Command Purpose Local Cisco UCM Local ASA Corporate Network Local Enterprise IPIPIP 192.168.10.30 TLS TCP M 248765 Internet Outside Cisco UCM address 209.165.200.228 Configure PAT: 192.168.10.30:5070 192.168.10.30:5071 209.165.200.228:5570 209.165.200.228:5571
21-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228Configures a network object for the outside IP address of Cisco UCM that you want to translate. Step 2hostname(config-network-object)# host ip_address Example: hostname(config-network-object)# host 209.165.200.228Specifies the real IP address of the Cisco UCM host for the network object. Step 3hostname(config-network-object)# exitExits from the objects configuration mode. Step 4hostname(config)# object service name Examples: hostname(config)# object service tcp_5070 hostname(config)# object service tcp_5071Creates a service object for the outside Cisco Intercompany Media Engine port. Step 5hostname(config-service-object)# tcp source eq port Examples: hostname(config-service-object)# tcp source eq 5070 hostname(config-service-object)# tcp source eq 5071Specifies the port number. Step 6hostname(config-service-object)# exitExits from the objects configuration mode. Step 7hostname(config)# object network name Examples: hostname(config)# object network ucm-real-192.168.10.30 hostname(config)# object network ucm-real-192.168.10.31Configures a network object to represent the real IP address of Cisco UCM. Step 8hostname(config-network-object)# host ip_address Examples: hostname(config-network-object)# host 192.168.10.30 hostname(config-network-object)# host 192.168.10.31Specifies the real IP address of the Cisco UCM host for the network object. Step 9hostname(config-network-object)# exitExits from the objects configuration mode. Step 10hostname(config)# object service name Examples: hostname(config)# object service tcp_5570 hostname(config)# object service tcp_5571Creates a service objects for Cisco UCM SIP port. Step 11hostname(config-service-object)# tcp source eq port Example: hostname(config-service-object)# tcp source eq 5570 hostname(config-service-object)# tcp source eq 5571Specifies the port number. Step 12hostname(config-service-object)# exitExits from the objects configuration mode. Step 13hostname(config)# nat (inside,outside) source static real_obj mapped_obj service real_port mapped_port Examples: hostname(config)# nat (inside,outside) source static ucm-real-192.168.10.30 ucm-pat-209.165.200.228 service tcp_5070 tcp_5570 hostname(config)# nat (inside,outside) source static ucm-real-192.168.10.31 ucm-pat-128.106.254.5 service tcp_5071 tcp_5571Creates a static mapping for Cisco UCM. Where real_obj is the name that you created in Step 1 in this task. Where mapped_obj is the name that you created in Step 7 in this task. Where real_port is the name that you created in Step 4 in this task. Where mapped_obj is the name that you created in Step 10 in this task.
21-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating ACLs for Cisco Intercompany Media Engine Proxy To configure ACLs for the Cisco Intercompany Media Engine Proxy to reach the Cisco UCM server, perform the following steps. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. Command Purpose Step 1hostname(config)# access-list id extended permit tcp any host ip_address eq port Example: hostname(config)# access-list incoming extended permit tcp any host 192.168.10.30 eq 5070Adds an Access Control Entry (ACE). An ACL is made up of one or more ACEs with the same ACL ID. This ACE provides access control by allowing incoming access for Cisco Intercompany Media Engine connections on the specified port. In the ip_address argument, provide the real IP address of Cisco UCM. Step 2hostname(config)# access-group access-list in interface interface_name Example: hostname(config)# access-group incoming in interface outsideBinds the ACL to an interface. Step 3hostname(config)# access-list id extended permit tcp any host ip_address eq port Example: hostname(config)# access-list ime-inbound-sip extended permit tcp any host 192.168.10.30 eq 5070Adds an ACE. This ACE allows the ASA to allow inbound SIP traffic for Cisco Intercompany Media Engine. This entry is used to classify traffic for the class and policy map. NoteThe port that you configure here must match the trunk settings configured on Cisco UCM. See the Cisco Unified Communications Manager documentation for information about this configuration setting. Step 4hostname(config)# access-list id extended permit tcp ip_address mask any range range Example: hostname(config)# access-list ime-outbound-sip extended permit tcp 192.168.10.30 255.255.255.255 any range 5000 6000Adds an ACE. This ACE allows the ASA to allow outbound SIP traffic for Cisco Intercompany Media Engine (in the example, any TCP traffic with source as 192.168.10.30 and destination port range between 5000 and 6000). This entry is used to classify traffic for the class and policy map. NoteEnsure that TCP traffic between Cisco UCM and the Cisco Intercompany Media Engine server does not use this port range (if that connection goes through the ASA). Step 5hostname(config)# access-list id permit tcp any host ip_address eq 6084 Example: hostname(config)# access-list ime-traffic permit tcp any host 192.168.10.12 eq 6084Adds an ACE. This ACE allows the ASA to allow traffic from the Cisco Intercompany Media Engine server to remote Cisco Intercompany Media Engine servers. Step 6hostname(config)# access-list id permit tcp any host ip_address eq 8470 Example: hostname(config)# access-list ime-bootserver-traffic permit tcp any host 192.168.10.12 eq 8470Adds an ACE. This ACE allows the ASA to allow traffic from the Cisco Intercompany Media Engine server to the Bootstrap server for the Cisco Intercompany Media Engine.
21-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Create the media termination instance on the ASA for the Cisco Intercompany Media Engine Proxy. See Creating the Media Termination Instance, page 21-17. Creating the Media Termination Instance Guidelines The media termination address you configure must meet these requirements: If you decide to configure a media-termination address on interfaces (rather than using a global interface), you must configure a media-termination address on at least two interfaces (the inside and an outside interface) before applying the service policy for the Cisco Intercompany Media Engine Proxy. Otherwise, you will receive an error message when enabling the proxy with SIP inspection. NoteCisco recommends that you configure the media-termination address for the Cisco Intercompany Media Engine Proxy on interfaces rather than configuring a global media-termination address. The Cisco Intercompany Media Engine Proxy can use only one type of media termination instance at a time; for example, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time. NoteIf you change any Cisco Intercompany Media Engine Proxy settings after you create the media-termination address for the proxy, you must reconfigure the media-termination address by using the no media-termination command, and then reconfiguring it as described in this procedure. Procedure Create the media termination instance to use with the Cisco Intercompany Media Engine Proxy. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. To create the media termination instance for the Cisco Intercompany Media Engine Proxy, perform the following steps:
21-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What To Do Next Once you have created the media termination instance, create the Cisco Intercompany Media Engine Proxy. See Creating the Cisco Intercompany Media Engine Proxy, page 21-18. Creating the Cisco Intercompany Media Engine Proxy To create the Cisco Intercompany Media Engine Proxy, perform the following steps. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. Command Purpose Step 1hostname(config)# media-termination instance_name Example: hostname(config)# media-termination uc-ime-media-termCreates the media termination instance that you attach to the Cisco Intercompany Media Engine Proxy. Step 2hostname(config-media-termination)# address ip_address interface intf_name Examples: hostname(config-media-termination)# address 209.165.200.228 interface outsideConfigures the media-termination address used by the outside interface of the ASA. The outside IP address must be a publicly routable address that is an unused IP address within the address range on that interface. See Creating the Cisco Intercompany Media Engine Proxy, page 21-18 for information about the UC-IME proxy settings. See CLI configuration guide for information about the no service-policy command. Step 3hostname(config-media-termination)# address ip_address interface intf_name Examples: hostname(config-media-termination)# address 192.168.10.3 interface insideConfigures a media termination address used by the inside interface of the ASA. NoteThe IP address must be an unused IP address within the same subnet on that interface. Step 4(Optional) hostname(config-media-termination)# rtp-min-port port1 rtp-maxport port2 Examples: hostname(config-media-termination)# rtp-min-port 1000 rtp-maxport 2000Configures the rtp-min-port and rtp-max-port limits for the Cisco Intercompany Media Engine Proxy. Configure the RTP port range for the media termination point when you need to scale the number of calls that the Cisco Intercompany Media Engine supports. Where port1 specifies the minimum value for the RTP port range for the media termination point, where port1 can be a value from 1024 to 65535. By default, the value for port1 is 16384. Where port2 specifies the maximum value for the RTP port range for the media termination point, where port2 can be a value from 1024 to 65535. By default, the value for port2 is 32767.
21-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy NoteYou cannot change any of the configuration settings for the Cisco Intercompany Media Engine Proxy described in this procedure when the proxy is enabled for SIP inspection. Remove the Cisco Intercompany Media Engine Proxy from SIP inspection before changing any of the settings described in this procedure. Command Purpose Step 1hostname(config)# uc-ime uc_ime_name Example: hostname(config)# uc-ime local-ent-imeConfigures the Cisco Intercompany Media Engine Proxy. Where uc_ime_name is the name of the Cisco Intercompany Media Engine Proxy. The name is limited to 64 characters. Only one Cisco Intercompany Media Engine Proxy can be configured on the ASA. Step 2hostname(config-uc-ime)# media-termination mta_instance_name Example: hostname(config-uc-ime)# media-termination ime-media-termSpecifies the media termination instance used by the Cisco Intercompany Media Engine Proxy. NoteYou must create the media termination instance before you specify it in the Cisco Intercompany Media Engine Proxy. Where mta_instance_name is the instance_name that you created in Step 1 of Creating the Media Termination Instance. See Creating the Media Termination Instance, page 21-17 for the steps to create the media termination instance. Step 3hostname(config-uc-ime)# ucm address ip_address trunk-security-mode [nonsecure | secure] Example: hostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-secureSpecifies the Cisco UCM server in the enterprise. You must specify the real IP address of the Cisco UCM server. Do not specify a mapped IP address for the server. NoteYou must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine that has a SIP trunk enabled. Where the nonsecure and secure options specify the security mode of the Cisco UCM or cluster of Cisco UCMs. NoteSpecifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS; therefore, you must configure TLS for components. See (Optional) Configuring TLS within the Local Enterprise, page 21-27. You can specify the secure option in this task or you can update it later while configuring TLS for the enterprise. See Step 11 in (Optional) Configuring TLS within the Local Enterprise, page 21-27.
21-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 4hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234Configures the ticket epoch and password for Cisco Intercompany Media Engine. Where n is an integer from 1-255. The epoch contains an integer that updates each time that the password is changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password. Typically, you increment the epoch sequentially; however, the ASA allows you to choose any value when you update the epoch. If you change the epoch value, the current password is invalidated and you must enter a new password. Where password contains a minimum of 10 and a maximum of 64 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character. We recommend a password of at least 20 characters. Only one password can be configured at a time. The ticket password is stored onto flash. The output of the show running-config uc-ime command displays ***** instead of the password string. NoteThe epoch and password that you configure on the ASA must match the epoch and password configured on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information. Command Purpose
21-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Install the certificate on the local entity truststore. You could also enroll the certificate with a local CA trusted by the local entity. Creating Trustpoints and Generating Certificates You need to generate the keypair for the certificate used by the ASA, and configure a trustpoint to identify the certificate sent by the ASA in the TLS handshake. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. NoteThis task instructs you on how to create trustpoints for the local enterprise and the remote enterprise and how to exchange certificates between these two enterprises. This task does not provide steps for creating trustpoints and exchanging certificates between the local Cisco UCM and the local ASA. However, if you require additional security within the local enterprise, you must perform the optional task (Optional) Configuring TLS within the Local Enterprise, page 21-27. Performing that task allows for secure TLS Step 5(Optional) hostname(config-uc-ime)# fallback monitoring timer timer_millisec | hold-down timer timer_sec Examples: hostname(config-uc-ime)# fallback monitoring timer 120 hostname(config-uc-ime)# fallback hold-down timer 30 Specifies the fallback timers for Cisco Intercompany Media Engine. Specifying monitoring timer sets the time between which the ASA samples the RTP packets received from the Internet. The ASA uses the data sample to determine if fallback to the PSTN is needed for a call. Where timer_millisec specifies the length of the monitoring timer. By default, the length is 100 milliseconds for the monitoring timer and the allowed range is 10-600 ms. Specifying hold-down timer sets the amount of time that ASA waits before notifying Cisco UCM whether to fall back to PSTN. Where timer_sec specifies the length of the hold-down timer. By default, the length is 20 seconds for the hold-down timer and the allowed range is 10-360 seconds. If you do not use this command to specify fallback timers, the ASA uses the default settings for the fallback timers. Step 6(Optional) hostname(config-uc-ime)# fallback sensitivity-file file_name Example: hostname(config-uc-ime)# fallback sensitivity-file ime-fallback-sensitvity.fbs Specifies the file to use for mid-call PSTN fallback. Where file_name must be the name of a file on disk that includes the .fbs file extension. The fallback file is used to determine whether the QoS of the call is poor enough for the Cisco Intercompany Media Engine to move the call to the PSTN. Command Purpose
21-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy connections between the local Cisco UCM and the local ASA. The instructions in that task describe how to create trustpoints between the local Cisco UCM and the local ASA. Prerequisites for Installing Certificates To create a proxy certificate on the ASA that is trusted by the remote entity, obtain a certificate from a trusted CA or export it from the remote enterprise ASA. To export the certificate from the remote enterprise, you enter the following command on the remote ASA: hostname(config)# crypto ca export trustpoint identity-certificate The ASA prompts displays the certificate in the terminal screen. Copy the certificate from the terminal screen. You will need the certificate text in Step 5 of this task. Procedure To create the trustpoints and generate certificates, perform the following steps: Command Purpose Step 1hostname(config)# crypto key generate rsa label key-pair-label modulus size Example: hostname(config)# crypto key generate rsa label local-ent-key modulus 2048On the local ASA, creates the RSA keypair that can be used for the trustpoints. This is the keypair and trustpoint for the local entities signed certificate. The modulus key size that you select depends on the level of security that you want to configure and on any limitations imposed by the CA from which you are obtaining the certificate. The larger the number that you select, the higher the security level will be for the certificate. Most CAs recommend 2048 for the key modulus size; however, NoteGoDaddy requires a key modulus size of 2048. Step 2hostname(config)# crypto ca trustpoint trustpoint_name Example: hostname(config)# crypto ca trustpoint local_entEnters the trustpoint configuration mode for the specified trustpoint so that you can create the trustpoint for the local entity. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. Maximum name length is 128 characters. Step 3hostname(config-ca-trustpoint)# subject-name X.500_name Example: hostname(config-ca-trustpoint)# subject-name cn=Ent-local-domain-name**Includes the indicated subject DN in the certificate during enrollment. NoteThe domain name that you enter here must match the domain name that has been set for the local Cisco UCM. For information about how to configure the domain name for Cisco UCM, see the Cisco Unified Communications Manager documentation for information.