ASA 8.2 Phone Proxy feature allows the security appliance to proxy Certificate Authority function on behalf of the CUCM. This allows phones registering from the outside to contact the ASA which then proxies the connection to the CUCM. The “media termination point” feature, along with the ‘Certificate Trust List’ CTL on the ASA ensures that media streams are encrypted (SRTP).
Due to the fact that the “Phone Proxy” ASA is separate from the “Internet ASA” at Securiosity Companies, “outside NAT” had to be implemented to ensure that Phone-to-CUCM” traffic was not asymmetrically routed. Please review the configuration on the ASA (contained in this document) for specific details of this solution.
We have also modified a service policy to inspect SIP, and the policy is attached to the “outside” interface.
The only ACL entry relaxed here is TFTP traffic to the CUCM’s translated address on the “outside” address of the ASA.
Trustpoint for MIC (7941 and 7961 phones)
crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crl configure
Phone-Proxy configuration
tls-proxy ASA-tls-proxy
server trust-point _internal_PP_ctl_phoneproxy_file
!
ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 192.168.2.227
! the following entry is optional (for use with CAPF w/ LSC only phones
record-entry capf trustpoint capf_trustpoint address 192.168.2.227
no shutdown
!
media-termination mymta
address 208.87.143.229 interface outside
address 172.18.0.182 interface inside
!
phone-proxy ASA-phone-proxy
media-termination mymta
tftp-server address 172.18.2.26 interface inside
tls-proxy ASA-tls-proxy
ctl-file ctl_phoneproxy_file
no disable service-settings
FW basic configuration (ACLs and NAT)
! public address of TFTP server
static (inside,outside) 192.168.2.227 172.18.2.26 netmask 255.255.255.255
!
! the only ACL entry required
access-list list outside permit tcp any host 192.168.2.227 eq tftp
!
object-group type service CUCM-PROXY-PORTS
service-object tcp 2443
service-object tcp 5061
service-object tcp 3804
service-object udp tftp
service-object udp range 1024 65535
!
access-list phone-proxy-traffic permit object-group CUCM-PROXY-PORTS any host 192.168.2.227
!
! Outside NAT forces return traffic from CUCM to go through ASA-PP
! Without this traffic from CUCM will take natural 0’s route to Internet causing asymmetrical behavior
nat (outside) 555 access-list phone-proxy-traffic outside
global(inside) 555 interface
!
class-map sec_sip
match port tcp eq 5061
class-map sec_sccp
match port tcp eq 2443
!
!
policy-map voice_policy
class sec_sccp
inspect skinny phone-proxy ASA-phone-proxy
class sec_sip
inspect sip phone-proxy ASA-phone-proxy
!
service-policy voice_policy interface outside
No comments:
Post a Comment