Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
21-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Create the TLS proxy for the Cisco Intercompany Media Engine. See the “Creating the TLS Proxy” section on page 21-24. Step 4hostname(config-ca-trustpoint)# keypair keyname Example: hostname(config-ca-trustpoint)# keypair local-ent-keySpecifies the key pair whose public key is to be certified. Step 5hostname(config-ca-trustpoint)# enroll terminalSpecifies that you will use the “copy and paste” method of enrollment with this trustpoint (also known as manual enrollment). Step 6hostname(config-ca-trustpoint)# exitExits from the CA Trustpoint configuration mode. Step 7hostname(config)# crypto ca enroll trustpoint Example: hostname(config)# crypto ca enroll remote-ent % % Start certificate enrollment ... % The subject name in the certificate will be: % cn=enterpriseA % The fully-qualified domain name in the certificate will @ be: ciscoasa % Include the device serial number in the subject name? [yes/no]: no Display Certificate Request to terminal? [yes/no]: yesStarts the enrollment process with the CA. Where trustpoint is the same as the value you entered for trustpoint_name in Step 2. When the trustpoint is configured for manual enrollment (enroll terminal command), the ASA writes a base-64-encoded PKCS10 certification request to the console and then displays the CLI prompt. Copy the text from the prompt. Submit the certificate request to the CA, for example, by pasting the text displayed at the prompt into the certificate signing request enrollment page on the CA website. When the CA returns the signed identity certificate, proceed to Step 8 in this procedure. Step 8hostname(config)# crypto ca import trustpoint certificate Example: hostname(config)# crypto ca import remote-ent certificateImports the signed certificate received from the CA in response to a manual enrollment request. Where trustpoint specifies the trustpoint you created in Step 2. The ASA prompts you to paste the base-64 formatted signed certificate onto the terminal. Step 9hostname(config)# crypto ca authenticate trustpoint Example: hostname(config)# crypto ca authenticate remote-entAuthenticates the third-party identity certificate received from the CA. The identity certificate is associated with a trustpoint created for the remote enterprise. The ASA prompts you to paste the base-64 formatted identity certificate from the CA onto the terminal. Command Purpose
21-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating the TLS Proxy Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the TLS proxy. Create TLS proxy instances for the local and remote entity initiated connections respectively. The entity that initiates the TLS connection is in the role of “TLS client.” Because the TLS proxy has a strict definition of “client” and “server” proxy, two TLS proxy instances must be defined if either of the entities could initiate the connection. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. To create the TLS proxy, perform the following steps: Command Purpose Step 1hostname(config)# tls-proxy proxy_name Example: hostname(config)# tls-proxy local_to_remote-entCreates the TLS proxy for the outbound connections. Step 2hostname(config-tlsp)# client trust-point proxy_trustpoint Example: hostname(config-tlsp)# client trust-point local-entFor outbound connections, specifies the trustpoint and associated certificate that the adaptive security appliance uses in the TLS handshake when the adaptive security appliance assumes the role of the TLS client. The certificate must be owned by the adaptive security appliance (identity certificate). Where proxy_trustpoint specifies the trustpoint defined by the crypto ca trustpoint command in Step 2 in “Creating Trustpoints and Generating Certificates” section on page 21-21. Step 3hostname(config-tlsp)# client cipher-suite cipher_suite Example: hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1For outbound connections, controls the TLS handshake parameter for the cipher suite. Where cipher_suite includes des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, or null-sha1. For client proxy (the proxy acts as a TLS client to the server), the user-defined cipher suite replaces the default cipher suite, or the one defined by the ssl encryption command. Use this command to achieve difference ciphers between the two TLS sessions. You should use AES ciphers with the Cisco UCM server. Step 4hostname(config-tlsp)# exitExits from the TLS proxy configuration mode. Step 5hostname(config)# tls-proxy proxy_name Example: hostname(config)# tls-proxy remote_to_local-entCreate the TLS proxy for inbound connections.
21-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Once you have created the TLS proxy, enable it for SIP inspection. Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Enable the TLS proxy for SIP inspection and define policies for both entities that could initiate the connection. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task. NoteIf you want to change any Cisco Intercompany Media Engine Proxy settings after you enable SIP inspection, you must enter the no service-policy command, and then reconfigure the service policy as described in this procedure. Removing and reconfiguring the service policy does not affect existing calls; however, the first call traversing the Cisco Intercompany Media Engine Proxy will fail. Enter the clear connection command and restart the ASA. To enable SIP inspection for the Cisco Intercompany Media Engine Proxy, perform the following steps: Step 6hostname(config-tlsp)# server trust-point proxy_trustpoint Example: hostname(config-tlsp)# server trust-point local-entFor inbound connections, specifies the proxy trustpoint certificate presented during TLS handshake. The certificate must be owned by the adaptive security appliance (identity certificate). Where proxy_trustpoint specifies the trustpoint defined by the crypto ca trustpoint command in Step 2 in “Creating Trustpoints and Generating Certificates” section on page 21-21. Because the TLS proxy has strict definition of client proxy and server proxy, two TLS proxy instances must be defined if either of the entities could initiate the connection. Step 7hostname(config-tlsp)# client cipher-suite cipher_suite Example: hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1For inbound connections, controls the TLS handshake parameter for the cipher suite. Where cipher_suite includes des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, or null-sha1. Step 8hostname(config-tlsp)# exitExits from the TSL proxy configuration mode. Step 9hostname(config)# ssl encryption 3des-shal aes128-shal [algorithms]Specifies the encryption algorithms that the SSL/TLS protocol uses. Specifying the 3des-shal and aes128-shal is required. Specifying other algorithms is optional. NoteThe Cisco Intercompany Media Engine Proxy requires that you use strong encryption. You must specify this command when the proxy is licensed using a K9 license. Command Purpose
21-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sipDefines a class for the inbound Cisco Intercompany Media Engine SIP traffic. Step 2hostname(config-cmap)# match access-list access_list_name Examples: hostname(config-cmap)# match access-list ime-inbound-sipIdentifies the SIP traffic to inspect. Where the access_list_name is the ACL you created in Step 3, page 21-16 of the task Creating ACLs for Cisco Intercompany Media Engine Proxy. Step 3hostname(config-cmap)# exitExits from the class map configuration mode. Step 4hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-outbound-sipDefines a class for the outbound SIP traffic from Cisco Intercompany Media Engine. Step 5hostname(config)# match access-list access_list_name Examples: hostname(config-cmap)# match access-list ime-outbound-sipIdentifies which outbound SIP traffic to inspect. Where the access_list_name is the ACL you created in Step 4, page 21-16 of the task Creating ACLs for Cisco Intercompany Media Engine Proxy. Step 6hostname(config-cmap)# exitExits from the class map configuration mode. Step 7hostname(config)# policy-map name Examples: hostname(config)# policy-map ime-policyDefines the policy map to which to attach the actions for the class of traffic. Step 8hostname(config-pmap)# class classmap_name Examples: hostname(config-pmap)# class ime-outbound-sipAssigns a class map to the policy map so that you can assign actions to the class map traffic. Where classmap_name is the name of the SIP class map that you created in Step 1 in this task. Step 9hostname(config-pmap-c)# inspect sip [sip_map] tls-proxy proxy_name uc-ime uc_ime_map Examples: hostname(config-pmap-c)# inspect sip tls-proxy local_to_remote-ent uc-ime local-ent-imeEnables the TLS proxy and Cisco Intercompany Media Engine Proxy for the specified SIP inspection session. Step 10hostname(config-cmap-c)# exitExits from the policy map class configuration mode. Step 11hostname(config-pmap)# class class_map_name Examples: hostname(config-pmap)# class ime-inbound-sipAssigns a class map to the policy map so that you can assign actions to the class map traffic. Where classmap_name is the name of the SIP class map that you created in Step 4 in this task. Step 12hostname(config-pmap-c)# inspect sip [sip_map] tls-proxy proxy_name uc-ime uc_ime_map Examples: hostname(config-pmap-c)# inspect sip tls-proxy remote-to-local-ent uc-ime local-ent-imeEnables the TLS proxy and Cisco Intercompany Media Engine Proxy for the specified SIP inspection session. Step 13hostname(config-pmap-c)# exitExits from the policy map class configuration mode.
21-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Once you have enabled the TLS proxy for SIP inspection, if necessary, configure TLS within the enterprise. See (Optional) Configuring TLS within the Local Enterprise, page 21-27. (Optional) Configuring TLS within the Local Enterprise This task is not required if TCP is allowable within the inside network. TLS within the enterprise refers to the security status of the Cisco Intercompany Media Engine trunk as seen by the ASA. NoteIf the transport security for the Cisco Intercompany Media Engine trunk changes on Cisco UCM, it must be changed on the ASA as well. A mismatch will result in call failure. The ASA does not support SRTP with non-secure IME trunks. The ASA assumes SRTP is allowed with secure trunks. So ‘SRTP Allowed’ must be checked for IME trunks if TLS is used. The ASA supports SRTP fallback to RTP for secure IME trunk calls. Prerequisites On the local Cisco UCM, download the Cisco UCM certificate. See the Cisco Unified Communications Manager documentation for information. You will need this certificate when performing Step 6 of this procedure. Procedure To configure TLS within the local enterprise, perform the following steps on the local ASA: Step 14hostname(config-pmap)# exitExits from the policy map configuration mode. Step 15hostname(config)# service-policy policymap_name global Examples: hostname(config)# service-policy ime-policy globalEnables the service policy for SIP inspection for all interfaces. Where policymap_name is the name of the policy map you created in Step 7 of this task. See Creating the Cisco Intercompany Media Engine Proxy, page 21-18 for information about the UC-IME proxy settings. See CLI configuration guide for information about the no service-policy command. Command Purpose
21-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Commands Purpose Step 1hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enroll self hostname(config-ca-trustpoint)# keypair keyname hostname(config-ca-trustpoint)# subject-name x.500_name Example: hostname(config)# crypto key generate rsa label local-ent-key hostname(config)# crypto ca trustpoint local-asa hostname(config-ca-trustpoint)# enroll self hostname(config-ca-trustpoint)# keypair key-local-asa hostname(config-ca-trustpoint)# subject-name cn=Ent-local-domain-name** ., o=Example Corp Creates an RSA key and trustpoint for the self-signed certificate. Where key-pair-label is the RSA key for the local ASA. Where trustpoint_name is the trustpoint for the local ASA. Where keyname is key pair for the local ASA. Where x.500_name includes the X.500 distinguished name of the local ASA; for example, cn=Ent-local-domain-name**. NoteThe domain name that you enter here must match the domain name that has been set for the local Cisco UCM. For information about how to configure the domain name for Cisco UCM, see the Cisco Unified Communications Manager documentation for information. Step 2hostname(config-ca-trustpoint)# exitExits from Trustpoint Configuration mode. Step 3hostname(config)# crypto ca export trustpoint identity-certificate Example: hostname(config)# crypto ca export local-asa identity-certificateExports the certificate you created in Step 1. The certificate contents appear on the terminal screen. Copy the certificate from the terminal screen. This certificate enables Cisco UCM to validate the certificate that the ASA sends in the TLS handshake. On the local Cisco UCM, upload the certificate into the Cisco UCM trust store. See the Cisco Unified Communications Manager documentation for information. NoteThe subject name you enter while uploading the certificate to the local Cisco UCM is compared with the X.509 Subject Name field entered on the SIP Trunk Security Profile on Cisco UCM. For example, “Ent-local-domain-name” was entered in Step 1 of this task; therefore, “Ent-local-domain-name” should be entered in the Cisco UCM configuration. Step 4hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enroll terminal Example: hostname(config)# crypto ca trustpoint local-ent-ucm hostname(config-ca-trustpoint)# enroll terminalCreates a trustpoint for local Cisco UCM. Where trustpoint_name is the trustpoint for the local Cisco UCM. Step 5hostname(config-ca-trustpoint)# exitExits from Trustpoint Configuration mode.
21-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Once you have configured the TLS within the enterprise, if necessary, configure off path signaling for an off path deployment. See (Optional) Configuring Off Path Signaling, page 21-30. Step 6hostname(config)# crypto ca authenticate trustpoint Example: hostname(config)# crypto ca authenticate local-ent-ucmImports the certificate from local Cisco UCM. Where trustpoint is the trustpoint for the local Cisco UCM. Paste the certificate downloaded from the local Cisco UCM. This certificate enables the ASA to validate the certificate that Cisco UCM sends in the TLS handshake. Step 7hostname(config)# tls-proxy proxy_name hostname(config-tlsp)# server trust-point proxy_trustpoint hostname(config-tlsp)# client trust-point proxy_trustpoint hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 Example: hostname(config)# tls-proxy local_to_remote-ent hostname(config-tlsp)# server trust-point local-ent-ucm hostname(config-tlsp)# client trust-point local-ent hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1Updates the TLS proxy for outbound connections. Where proxy_name is the name you entered in Step 1 of the task Creating the TLS Proxy. Where proxy_trustpoint for the server trust-point command is the name you entered in Step 4 of this procedure. Where proxy_trustpoint for the client trust-point command is the name you entered in Step 2 of the task Creating Trustpoints and Generating Certificates. NoteIn this step, you are creating different trustpoints for the client and the server. Step 8hostname(config-tlsp)# exitExits from TLS Proxy Configuration mode. Step 9hostname(config)# tls-proxy proxy_name hostname(config-tlsp)# server trust-point proxy_trustpoint hostname(config-tlsp)# client trust-point proxy_trustpoint hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 Example: hostname(config)# tls-proxy remote_to_local-ent hostname(config-tlsp)# server trust-point local-ent hostname(config-tlsp)# client trust-point local-ent-ucm hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1Updates the TLS proxy for inbound connections. Where proxy_name is the name you entered in Step 5 of the task Creating the TLS Proxy. Where proxy_trustpoint for the server trust-point command is the name you entered in Step 2 of the task Creating Trustpoints and Generating Certificates. Where proxy_trustpoint for the client trust-point command is the name you entered in Step 4 of this procedure. Step 10hostname(config-tlsp)# exitExits from TLS Proxy Configuration mode. Step 11hostname(config)# uc-ime uc_ime_name hostname(config-uc-ime)# ucm address ip_address trunk-security-mode secure Example: hostname(config)# uc-ime local-ent-ime hostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode secureUpdates the Cisco Intercompany Media Engine Proxy for trunk-security-mode. Where uc_ime_name is the name you entered in Step 1 of the task Creating the Cisco Intercompany Media Engine Proxy. Only perform this step if you entered nonsecure in Step 3 of the task Creating the Cisco Intercompany Media Engine Proxy. Commands Purpose
21-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy (Optional) Configuring Off Path Signaling Perform this task only when you are configuring the Cisco Intercompany Media Engine Proxy as part of an off path deployment. You might choose to have an off path deployment when you want to use the Cisco Intercompany Media Engine but do not want to replace your existing Internet firewall with an ASA enabled with the Cisco Intercompany Media Engine Proxy. In an off path deployment, the existing firewall that you have deployed in your environment is not capable of transmitting Cisco Intercompany Media Engine traffic. Off path signaling requires that outside IP addresses translate to an inside IP address. The inside interface address can be used for this mapping service configuration. For the Cisco Intercompany Media Engine Proxy, the ASA creates dynamic mappings for external addresses to the internal IP address; therefore, using the dynamic NAT configuration on outbound calls, Cisco UCM sends SIP traffic to this internal IP address, and the ASA uses that mapping to determine the real destination on inbound calls. The static NAT or PAT mapping is used for inbound calls in an off path configuration. Figure 21-9 Example for Configuring Off Path Signaling in an Off Path Deployment After you configure off path signaling, the ASA mapping service listens on interface “inside” for requests. When it receives a request, it creates a dynamic mapping for the “outside” as the destination interface. To configure off path signaling for the Cisco Intercompany Media Engine Proxy, perform the following steps: Local Cisco UCM Local ASA Remote ASA 10.10.0.24 Corporate Network Local Enterprise IPIPIP TCP M OUTSIDE 0.0.0.0 0.0.0.0 248766 192.168.10.30 Outside Cisco UCM address 209.165.200.228 TLSInternet 192.168.10.1 ip_address:port ASA inside interface 192.168.10.1 Command Purpose Step 1hostname(config)# object network name Example: hostname(config)# object network outside-anyFor the off path ASA, creates a network object to represent all outside addresses. Step 2hostname(config-network-object)# subnet ip_address Example: hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0Specifies the IP address of the subnet. Step 3hostname(config-network-object)# nat (outside,inside) dynamic interface insideCreates a mapping for the Cisco UCM of remote enterprises. Step 4hostname(config-network-object)# exitExits from the objects configuration mode.
21-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy This section contains the following sections: Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane, page 21-31 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard, page 21-33 Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane Use the Configure Cisco Intercompany Media Engine (UC-IME) proxy pane to add or edit a Cisco Intercompany Media Engine Proxy instance. NoteThe Cisco Intercompany Media Engine Proxy does not appear as an option under the Unified Communications section of the navigation pane unless the license required for this proxy is installed on the ASA. Use this pane to create the proxy instance; however, for the UC-IME proxy to be fully functionally, you must complete additional tasks, such as create the required NAT statements, ACLs, and MTA, set up the certificates, create the TLS Proxy, and enable SIP inspection. Depending on whether the UC-IME proxy is deployed off path or in-line of Internet traffic, you must create the appropriate network objects with embedded NAT/PAT statements for the Cisco UCMs. This pane is available from the Configuration > Firewall > Unified Communications > UC-IME Proxy. Step 1Open the Configuration > Firewall > Unified Communications > UC-IME Proxy pane. Step 5hostname(config)# uc-ime uc_ime_name Example: hostname(config)# uc-ime local-ent-imeSpecifies the Cisco Intercompany Media Engine Proxy that you created in the task Creating the Cisco Intercompany Media Engine Proxy, page 21-18. Where uc_ime_name is the name you specified in Step 1 of Creating the Cisco Intercompany Media Engine Proxy, page 21-18. Step 6hostname(config)# mapping-service listening-interface interface_name [listening-port port] uc-ime-interface uc-ime-interface_name Example: hostname(config-uc-ime)# mapping-service listening-interface inside listening-port 8060 uc-ime-interface outsideFor the off path ASA, adds the mapping service to the Cisco Intercompany Media Engine Proxy. Specifies the interface and listening port for the ASA mapping service. You can only configure one mapping server for the Cisco Intercompany Media Engine Proxy. Where interface_name is the name of the interface on which the ASA listens for the mapping requests. Where port is the TCP port on which the ASA listens for the mapping requests. The port number must be between 1024 and 65535 to avoid conflicts with other services on the device, such as Telnet or SSH. By default, the port number is TCP 8060. Where uc-ime-interface_name is the name of the interface that connects to the remote Cisco UCM. Command Purpose
21-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 2Check the Enable Cisco UC-IME proxy check box to enable the feature. Step 3In the Unified CM Servers area, enter an IP address or hostname for the Cisco Unified Communications Manager (Cisco UCM) or click the ellipsis to open a dialog and browse for an IP address or hostname. Step 4In the Trunk Security Mode field, click a security option. Specifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS. Step 5Click Add to add the Cisco UCM for the Cisco Intercompany Media Engine Proxy. You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine that has a SIP trunk enabled. Step 6In the Ticket Epoch field, enter an integer from 1-255. The epoch contains an integer that updates each time that the password is changed. When the proxy is configured the first time and a password entered for the first time, enter 1 for the epoch integer. Each time you change the password, increment the epoch to indicate the new password. You must increment the epoch value each time your change the password. Typically, you increment the epoch sequentially; however, the ASA allows you to choose any value when you update the epoch. If you change the epoch value, the current password is invalidated and you must enter a new password. NoteThe epoch and password that you configure in this step on the ASA must match the epoch and password that you configure on the Cisco Intercompany Media Engine server. See the Cisco Intercompany Media Engine server documentation for information. Step 7In the Ticket Password field, enter a minimum of 10 printable character from the US-ASCII character set. The allowed characters include 0x21 to 0x73 inclusive, and exclude the space character. The ticket password can be up to 64 characters. Confirm the password you entered. Only one password can be configured at a time. Step 8Check the Apply MTA to UC-IME Link proxy check box to associate the media termination address with the Cisco Intercompany Media Engine Proxy. NoteYou must create the media termination instance before you associate it with the Cisco Intercompany Media Engine Proxy. If necessary, click the Configure MTA button to configure a media termination address instance. Step 9If the Cisco Intercompany Media Engine Proxy is being configured as part of off path deployment, check the Enable off path address mapping service checkbox and configure the off path deployment settings: a.From the Listening Interface field, select an ASA interface. This is the interface on which the ASA listens for the mapping requests. b.In the Port field, enter a number between 1024 and 65535 as the TCP port on which the ASA listens for the mapping requests. The port number must be 1024 or higher to avoid conflicts with other services on the device, such as Telnet or SSH. By default, the port number is TCP 8060. c.From the UC-IME Interface field, select an interface from the list. This is the interface that the ASA uses to connect to the remote Cisco UCM.