-
Cisco Security Appliance Command Line Configuration Guide, Version 8.0
-
Index
-
About This Guide
-
Getting Started and General Information
-
Introduction to the Security Appliance
-
Getting Started
-
Managing Feature Licenses
-
Enabling Multiple Context Mode
-
Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
-
Configuring Ethernet Settings and Subinterfaces
-
Adding and Managing Security Contexts
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing
-
Configuring Multicast Routing
-
Configuring DHCP, DDNS, and WCCP Services
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Failover
-
Using Modular Policy Framework
-
-
Configuring the Firewall
-
Firewall Mode Overview
-
Identifying Traffic With Access Lists
-
Configuring NAT
-
Permitting or Denying Network Access
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Managing AIP SSM and CSC SSM
-
Preventing Network Attacks
-
Applying QoS Policies
-
Applying Application Layer Protocol Inspection
-
Configuring Cisco Unified Communications Support
-
Configuring ARP Inspection and Bridging Parameters in Transparent Mode
-
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
Configuring Certificates
-
- System Administration
- Reference
-
Glossary
-
Table Of Contents
Configuring Cisco Unified Communications Proxy Features
Overview of the Adaptive Security Appliance in Cisco Unified Communications
TLS Proxy Applications in Cisco Unified Communications
Licensing for Cisco Unified Communications Proxy Features
Phone Proxy Limitations and Restrictions
Requirements to Support the 7960 and 7940 IP Phones
Addressing Requirements for IP Phones on Multiple Interfaces
Supported Cisco UCM and IP Phones for the Phone Proxy
Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
Importing Certificates from the Cisco UCM
Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
Phone Proxy Configuration for Cisco IP Communicator
Configuring Linksys Routers for UDP Port Forwarding
About Rate Limiting TFTP Requests
Troubleshooting the Phone Proxy
Debugging Information from the Security Appliance
Debugging Information from IP Phones
Media Termination Address Errors
TLS Proxy for Encrypted Voice Inspection
Cisco Unified Mobility and MMP Inspection Engine
Mobility Proxy Deployment Scenarios
Establishing Trust Relationships for Cisco UMA Deployments
Configuring the Security Appliance for Cisco Unified Mobility
Debugging for Cisco Unified Mobility
Architecture for Cisco Unified Presence
Establishing a Trust Relationship in the Presence Federation
About the Security Certificate Exchange Between Cisco UP and the Security Appliance
Configuring the Presence Federation Proxy for Cisco Unified Presence
Debugging the Security Appliance for Cisco Unified Presence
Sample Configurations for Cisco Unified Communications Proxy Features
Phone Proxy Sample Configurations
Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers
Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher
Cisco Unified Mobility Sample Configurations
Example 2: Cisco UMC/Cisco UMA Architecture - Security Appliance as TLS Proxy Only
Cisco Unified Presence Sample Configuration
Configuring Cisco Unified Communications Proxy Features
This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.
This chapter includes the following sections:
•
Overview of the Adaptive Security Appliance in Cisco Unified Communications
•
•
•
•
Overview of the Adaptive Security Appliance in Cisco Unified Communications
This section describes the Cisco UC Proxy features on the Cisco ASA 5500 series appliances. The purpose of a proxy is to terminate and reoriginate connections between a client and server. The proxy delivers a range of security functions such as traffic inspection, protocol conformance, and policy control to ensure security for the internal network. An increasingly popular function of a proxy is to terminate encrypted connections in order to apply security policies while maintaining confidentiality of connections. The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments.
The Cisco UC Proxy includes the following solutions:
Phone Proxy: Secure remote access for Cisco encrypted endpoints, and VLAN traversal for Cisco softphones
The phone proxy feature enables termination of Cisco SRTP/TLS-encrypted endpoints for secure remote access. The phone proxy allows large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware.
The Cisco adaptive security appliance phone proxy is the replacement product for the Cisco Unified Phone Proxy. Additionally, the phone proxy can be deployed for voice/data VLAN traversal for softphone applications. Cisco IP Communicator (CIPC) traffic (both media and signaling) can be proxied through the security appliance, thus traversing calls securely between voice and data VLANs.
For information about the differences between the TLS proxy and phone proxy, go to the following URL for Unified Communications content, including TLS Proxy vs. Phone Proxy white paper:
http://www.cisco.com/go/secureuc
TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling
End-to-end encryption often leaves network security appliances "blind" to media and signaling traffic, which can compromise access control and threat prevention security functions. This lack of visibility can result in a lack of interoperability between the firewall functions and the encrypted voice, leaving businesses unable to satisfy both of their key security requirements.
The security appliance is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM servers.
Typically, the security appliance TLS Proxy functionality is deployed in campus unified communications network. This solution is ideal for deployments that utilize end to end encryption and firewalls to protect Unified Communications Manager servers.
Mobility Proxy: Secure connectivity between Cisco Unified Mobility Advantage server and Cisco Unified Mobile Communicator clients
Cisco Unified Mobility solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA) server. The Cisco Unified Mobility solution streamlines the communication experience, enabling single number reach and integration of mobile endpoints into the Unified Communications infrastructure.
The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA.
Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and Cisco/Microsoft Presence servers
Cisco Unified Presence solution collects information about the availability and status of users, such as whether they are using communication devices, such as IP phones at particular times. It also collects information regarding their communications capabilities, such as whether web collaboration or video conferencing is enabled. Using user information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco UCM can improve productivity by helping users connect with colleagues more efficiently through determining the most effective way for collaborative communication.
Using the security appliance as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers.
TLS Proxy Applications in Cisco Unified Communications
Table 26-1 shows the Cisco Unified Communications applications that utilize the TLS proxy on the security appliance.
The security appliance supports TLS proxy for various voice applications. For the phone proxy, the TLS proxy running on the security appliance has the following key features:
•
•
•
•
•
For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The security appliance is between a Cisco UMA client and a Cisco UMA server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the use of an imported PKCS-12 certificate for server proxy during the handshake with the client. Cisco UMA clients are not required to present a certificate (no client authentication) during the handshake.
For the Cisco Unified Presence solution, the security appliance acts as a TLS proxy between the Cisco UP server and the foreign server. This allows the security appliance to proxy TLS messages on behalf of the server that initiates the TLS connection, and route the proxied TLS messages to the client. The security appliance stores certificate trustpoints for the server and the client, and presents these certificates on establishment of the TLS session.
Licensing for Cisco Unified Communications Proxy Features
The Cisco Unified Communications proxy features supported by the security appliance require a Unified Communications Proxy license:
•
•
•
•
The Unified Communications proxy features are licensed by TLS session. For the phone proxy or TLS proxy, each IP phone may have a single connection to the Cisco UCM server or two connections —one connection to the primary Cisco UCM and one connection to the backup Cisco UCM. In the second scenario, the phone proxy uses two Unified Communications Proxy sessions because two TLS sessions are set up. For the mobility proxy and presence federation proxy, each endpoint utilizes one Unified Communications Proxy session.
Table 26-2 shows the Unified Communications Proxy license details by platform.
A Unified Communications Proxy license is applied the same way as other licensed features (such as, SSL VPN), via the activation-key command. To check the license on the security appliance, use the show version or show activation-key command:
hostname# show activation-keySerial Number: P3000000179Running Activation Key: 0xa700d24c 0x98caab35 0x88038550 0xaf383078 0x02382080Licensed features for this platform:Maximum Physical Interfaces : UnlimitedMaximum VLANs : 150Inside Hosts : UnlimitedFailover : Active/ActiveVPN-DES : EnabledVPN-3DES-AES : EnabledSecurity Contexts : 10GTP/GPRS : EnabledVPN Peers : 750WebVPN Peers : 750AnyConnect for Mobile : DisabledAnyConnect for Linksys phone : DisabledAdvanced Endpoint Assessment : EnabledUC Proxy Sessions : 1000This platform has an ASA 5520 VPN Plus license.The flash activation key is the SAME as the running key.hostname#See the following links for additional information on licensing. If you are a registered user of Cisco.com and would like to obtain a Unified Communications Proxy license, go to the following website:
http://www.cisco.com/go/license
If you are not a registered user of Cisco.com, go to the following website:
https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet
Provide your name, e-mail address, and the serial number for the security appliance as it appears in the show version command output.
Phone Proxy
This section includes the following topics:
•
About the Phone Proxy
The phone proxy on the security appliance bridges IP telephony between the corporate IP telephony network and the Internet in a secure manner by forcing data from remote phones on an untrusted network to be encrypted. Telecommuters can connect their IP phones to the corporate IP telephony network over the Internet securely via the phone proxy without the need to connect over a VPN tunnel as illustrated by Figure 26-1.
Figure 26-1 Phone Proxy Secure Deployment
The phone proxy supports a Cisco UCM cluster in mixed mode or nonsecure mode. Regardless of the cluster mode, the remote phones that are capable of encryption are always forced to be in encrypted mode. TLS (signaling) and SRTP (media) are always terminated on the security appliance. The security appliance can also perform NAT, open pinholes for the media, and apply inspection policies for the SCCP and SIP protocols. In a nonsecure cluster mode or a mixed mode where the phones are configured as nonsecure, the phone proxy behaves in the following ways:
•
•
In a mixed mode cluster where the internal IP phones are configured as authenticated, the TLS connection is not converted to TCP to the Cisco UCM but the SRTP is converted to RTP.
In a mixed mode cluster where the internal IP phone is configured as encrypted, the TLS connection remains a TLS connection to the Cisco UCM and the SRTP from the remote phone remains SRTP to the internal IP phone.
Since the main purpose of the phone proxy is to make the phone behave securely while making calls to a nonsecure cluster, the phone proxy performs the following major functions:
•
•
•
•
•
Phone Proxy Limitations and Restrictions
The phone proxy has the following limitations and restrictions:
•
•
•
•
Phone Proxy Configuration
This section includes the following topics:
•
•
•
•
•
•
•
•
Configuration Prerequisites
Before configuring the phone proxy, ensure that the security appliance meets the following configuration requirements:
•
–
–
–
–
–
Note
•
•
After configuring the DNS lookup, make sure that the security appliance can ping the Cisco UCM with the configured FQDN.
If you have a CAPF service enabled and the Cisco UCM is not running on the Publisher, and the Publisher is configured with a FQDN instead of an IP address, you must also configure DNS lookup.
•
Table 26-3 lists the access-list rule that must be configured for TFTP on the security appliance:
Table 26-3 Access List Rule for TFTP
TFTP Server
69
UDP
Allow incoming TFTP
Note
For information about configuring access-lists on the security appliance, see Access List Overview, page 17-1.
•
Table 26-4 lists the ports that are required to be configured on the existing firewall:
Note
•
•
•
–
Therefore, if global_sccp_port is 7000, then the global secure SCCP port is 7443. Reconfiguring the port might be necessary when the phone proxy deployment has more than one Cisco UCM and they must share the interface IP address or a global IP address:
/* use the default ports for the first CUCM */static (inside,outside) tcp interface 2000 10.0.0.1 2000static (inside,outside) tcp interface 2443 10.0.0.1 2443/* use non-default ports for the 2nd CUCM */static (inside,outside) tcp interface 7000 10.0.0.2 2000static (inside,outside) tcp interface 7443 10.0.0.2 2443
Note
–
Requirements to Support the 7960 and 7940 IP Phones
To support the 7960 and 7940 IP phones with the phone proxy, you must meet the following requirements:
•
See the following document for the steps to install an LSC on IP phones:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secucapf.html#wp1093518
Note
•
•
•
•
Addressing Requirements for IP Phones on Multiple Interfaces
When IP phones reside on multiple interfaces, the phone proxy configuration must have the correct IP address set for the Cisco UCM in the CTL file.
See the following example topology for information about how to correctly set the IP address:
phones --- (dmz)-----||----- ASA PP --- (outside Internet) --- phonesphones --- (inside)--|In this example topology, the following IP address are set:
•
•
•
The Cisco UCM is mapped with different global IP addresses from DMZ > outside and inside interfaces > outside interface.
In the CTL file, the Cisco UCM must have two entries because of the two different IP addresses. For example, if the static statements for the Cisco UCM are as follows:
static (inside,outside) 128.106.254.2 10.0.0.5static (inside,dmz) 192.168.1.2 10.0.0.5There must be two CTL file record entries for the Cisco UCM:
record-entry cucm trustpoint cucm_in_to_out address 128.106.254.2record-entry cucm trustpoint cucm_in_to_dmz address 192.168.1.2Supported Cisco UCM and IP Phones for the Phone Proxy
Cisco Unified Communications Manager
The following release of the Cisco Unified Communications Manager are supported with the phone proxy:
•
•
•
•
Cisco Unified IP Phones
The following IP phones in the Cisco Unified IP Phones 7900 Series are supported with the phone proxy:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
End-User Phone Provisioning
The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is not configured for the Cisco UCM TFTP server, then the phone needs to be configured with the Cisco UCM cluster TFTP server address.
If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address is configured as the TFTP server address on the phone.
•
–
–
–
· Easier to troubleshoot and isolate problems with the network or phone proxy because you know whether the phone is registered and working with the Cisco UCM.
· Better user experience because the phone does not have to download firmware from over a broadband connection, which can be slow and require the user to wait for a longer time.
•
–
In both options, deploying a remote IP phone behind a commercial Cable/DSL router with NAT capabilities is supported.
Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
Step 1
You need to create trustpoints for each Cisco UCM (primary and secondary if a secondary Cisco UCM is used) and TFTP server in the network. The trustpoints need to be in the CTL file for the phones to trust the Cisco UCM.
a.
hostname(config)# crypto key generate rsa label key-pair-label modulus sizeb.
hostname(config)# crypto ca trustpoint trustpoint_namehostname(config-ca-trustpoint)# enrollment selfhostname(config-ca-trustpoint)# keypair keynamehostname(config-ca-trustpoint)# exithostname(config)# crypto ca enroll trustpointEntering these commands generates a self-signed certificate and specifies the keypair whose public key is being certified. This is the keypair created in substep a. Entering the crypto ca enroll command requests the certificate from the CA server and causes the security appliance to generate the certificate.
c.
hostname(config)# crypto ca trustpoint trustpoint_namehostname(config-ca-trustpoint)# enrollment selfhostname(config-ca-trustpoint)# keypair keynamehostname(config-ca-trustpoint)# exithostname(config)# crypto ca enroll trustpoint
Note
d.
e.
f.
•
•
•
See Importing Certificates from the Cisco UCM. For example, the CA Manufacturer certificate is required by the phone proxy to validate the IP phone certificate.
g.
Note
Step 2
a.
Note
b.
hostname(config)# ctl-file ctl_namec.
hostname(config-ctl-file)# record-entry tftp trustpoint trustpoint_name address TFTP_IP_addressd.
hostname(config-ctl-file)# record-entry cucm trustpoint trustpoint_name address IP_addresse.
hostname(config-ctl-file)# record-entry capf trustpoint trust_point addressf.
hostname(config-ctl-file)# no shutdownWhen the file is created, it creates an internal trustpoint used by the phone proxy to sign the TFTP files. The trustpoint is named _internal_PP_ctl-instance_filename.
g.
hostname(config)# copy running-configuration startup-configurationStep 3
a.
hostname(config)# tls-proxy proxy_nameb.
hostname(config-tlsp)# server trust-point _internal_PP_ctl-instance_filenameStep 4
a.
hostname(config)# phone-proxy phone_proxy_nameb.
hostname(config-phone-proxy)# media-termination address ip_address
Note
•
•
c.
hostname(config-phone-proxy)# tftp-server address ip_address interface interfaced.
hostame(config-phone-proxy)# tls-proxy proxy_namee.
hostname(config-phone-proxy)# ctl-file ctl_namef.
hostname(config-phone-proxy)# proxy-server address ip_address [listen_port] interface ifcYou can configure only one proxy server while the phone proxy is in use; however, if the IP phones have already downloaded their configuration files after you have configured the proxy server, you must restart the IP phones so that they get the configuration file with the proxy server address in the file.
By default, the Phone URL Parameters configured under the Enterprise Parameters use an FQDN in the URLs. The parameters might need to be changed to use an IP address if the DNS lookup for the HTTP proxy does not resolve the FQDNs.
g.
hostname(config-phone-proxy)# cipc security-mode authenticatedSee Phone Proxy Configuration for Cisco IP Communicator for all requirements for using the phone proxy with CIPC.
h.
hostname(config-phone-proxy)# no disable service-settingsBy default, the following settings are disabled on the IP phones:
–
–
–
–
–
Step 5
a.
hostname(config)# class-map class_map_namehostname(config-cmap)# match port tcp eq 2443Where class_map_name is the name of the Skinny class map.
b.
hostname(config)# class-map class_map_namehostname(config-cmap)# match port tcp eq 5061Where class_map_name is the name of the SIP class map.
c.
hostname(config)# policy-map namehostname(config-pmap)# class classmap-namehostname(config-pmap-c)# inspect skinny phone-proxy pp_namehostnae(config-pmap)# class classmap-namehostname(config-pmap-c)# inspect sip phone-proxy pp_nameWhere classmap_name is the name of the Skinny class map and the name for the SIP class map.
d.
hostname(config)# service-policy policymap_name interface intf
Importing Certificates from the Cisco UCM
For the TLS proxy used by the phone proxy to complete the TLS handshake successfully, it needs to verify the certificates from the IP phone (and the Cisco UCM if doing TLS with Cisco UCM). To validate the IP phone certificate, we need the CA Manufacturer certificate which is stored on the Cisco UCM. Follow these steps to import the CA Manufacturer certificate to the security appliance.
Step 1
Step 2
Note
Step 3
Step 4
Note
Step 5
Step 6
hostname(config)# crypto ca trustpoint trustpoint_namehostname(config-ca-trustpoint)# enrollment terminalStep 7
hostname(config)# crypto ca authenticate trustpointStep 8
Note
Tip
Step 9
Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
When the phone proxy is being configured to run in mixed-mode clusters, you have the following options:
•
•
Step 1
Or
Create trustpoints and generate certificates for each entity in the network (Cisco UCM, Cisco UCM and TFTP, TFTP server, CAPF) that the IP phones must trust by performing the following substeps:
a.
hostname(config)# crypto ca generate rsa label keyname modulus 1024hostname(config-ca-trustpoint)# enrollment selfhostname(config-ca-trustpoint)# keypair keynamehostname(config-ca-trustpoint)# exithostname(config)# crypto ca enroll trustpointEntering these commands generates a self-signed certificate and specifies the keypair whose public key is being certified. This is the keypair created in substep a. Entering the crypto ca enroll command requests the certificate from the CA server and causes the security appliance to generate the certificate.
b.
hostname(config)# crypto ca trustpoint trustpoint_namehostname(config-ca-trustpoint)# enrollment selfhostname(config-ca-trustpoint)# keypair keynamehostname(config-ca-trustpoint)# exithostname(config)# crypto ca enroll trustpoint
Note
c.
d.
e.
•
•
•
•
See Importing Certificates from the Cisco UCM. For example, the CA Manufacturer certificate is required by the phone proxy to validate the IP phone certificate.
f.
Note
Step 2
a.
