Additionally, determine which certificates are installed on the IP phones. Verify that the list of installed certificates contains all required certificates for the phone proxy. Import any missing certificates onto the ASA. Step 4 If the steps above fail to resolve the issue, perform the following actions to obtain additional troubleshooting information for Cisco Support. Enter the following commands to capture additional debugging information for the phone proxy:. Enable the capture command on the inside and outside interfaces IP phones and Cisco UCM to enable packet capture capabilities for packet sniffing and network fault isolation.
See the command reference for information. Problem The TLS handshake succeeds, but signaling connections are failing.
Step 1 To see the ciphers being used by the phone proxy, enter the following command:. Step 2 To add the required ciphers, enter the following command:. The default is to have all algorithms available in the following order:. See the command reference for more information about setting ciphers with the ssl encryption command.
Problem The phone proxy is not functioning. Initial troubleshooting uncovered the following errors in the ASA syslogs:. Step 1 Determine which certificates are installed on the ASA by entering the following command:.
Step 2 Verify that the list of installed certificates contains all required certificates for the phone proxy. Step 3 Import any missing certificates onto the ASA. Solution the SSL encryption method might not be set correctly. Set the correct ciphers by completing the following procedure:. Problem Errors in the ASA log indicate that certificate validation errors occurred. Entering the show logging asdm command, displayed the following errors:. The certificate information is shown under the Security Configuration menu.
Problem Entering the media-termination address command displays the following errors:. Solution Enter the following command to determine if the media-termination address in the phone proxy configuration is set correctly:. The following audio errors can occur when the IP phones connecting through the phone proxy. Problem The call signaling completes but there is one way audio or no audio. The following steps shows how to recover the SAST keys and use them on the new hardware. The SAST keys can be seen via the show crypto key mypubkey rsa command.
Note Save this output somewhere secure. To import the SAST key, enter the following command:. Using the PKCS output you saved in Step 1 , enter the following command and paste the output when prompted:. Create trustpoints for each Cisco UMC primary and secondary. Figure shows an example of the configuration for a non-secure Cisco UCM cluster using the following topology. Figure shows an example of the configuration for a mixed-mode Cisco UCM cluster using the following topology.
Figure shows an example of the configuration for a mixed-mode Cisco UCM cluster where LSC provisioning is required using the following topology. Note Doing LSC provisioning for remote IP phones is not recommended because it requires that the IP phones first register and they have to register in nonsecure mode.
If possible, LSC provisioning should be done inside the corporate network before giving the IP phones to the end-users. In this sample, the Cisco UCM cluster mode is nonsecure. Table lists the release history for this feature. The phone proxy feature was introduced.
The following new commands were introduced. The media-termination address command was changed to allow for NAT:. The rtp-min-port and rtp-max-ports keywords were removed from the command syntax and included as a separate command:.
Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Updated: November 14, Chapter: Configuring the Cisco Phone Proxy. Configuring the Cisco Phone Proxy This chapter describes how to configure the adaptive security appliance for Cisco Phone Proxy feature. Phone Proxy Functionality Telecommuters can connect their IP phones to the corporate IP telephony network over the Internet securely via the phone proxy without the need to connect over a VPN tunnel as illustrated by Figure Since the main purpose of the phone proxy is to make the phone behave securely while making calls to a nonsecure cluster, the phone proxy performs the following major functions: Creates the certificate trust list CTL file, which is used to perform certificate based authentication with remote phones.
Modifies the IP phone configuration file when it is requested via TFTP, changes security fields from nonsecure to secure, and signs all files sent to the phone. These modifications secure remote phones by forcing the phones to perform encrypted signaling and media.
The following table shows the Unified Communications Proxy license details by platform: Note This feature is not available on No Payload Encryption models. ASA Base License: 2 sessions. Multiple media termination instances on the ASA are not supported.
Only one media-termination address can be configured per interface. For IP phones behind a router or gateway, you must also meet this prerequisite. On the router or gateway, add routes to the media termination address on the ASA interface that the IP phones communicate with so that the phone can reach the media termination address. For information about the dns domain-lookup command and how to use it to configure DNS lookup, see command reference.
Access List Rules If the phone proxy is deployed behind an existing firewall, access-list rules to permit signaling, TFTP requests, and media traffic to the phone proxy must be configured. See the following example topology for information about how to correctly set the IP address: phones dmz ASA PP outside Internet phones phones inside -- In this example topology, the following IP address are set: Cisco UCM on the inside interface is set to For example, if the static statements for the Cisco UCM are as follows: object network obj Cisco IP Communicator Prerequisites To configure Cisco IP Communicator CIPC with the phone proxy, you must meet the following prerequisites: Include the cipc security-mode authenticated command under the phone-proxy command when configuring the phone proxy instance.
Configure null-sha1 as one of the SSL encryption ciphers. For example, use the following command to deny ICMP pings from any host destined for the media termination address: icmp deny any outside End-User Phone Provisioning The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions.
Option 1 Recommended Stage the IP phones at corporate headquarters before sending them to the end users: The phones register inside the network.
IT ensures there are no issues with the phone configurations, image downloads, and registration. Advantages of this option are: Easier to troubleshoot and isolate problems with the network or phone proxy because you know whether the phone is registered and working with the Cisco UCM. Better user experience because the phone does not have to download firmware from over a broadband connection, which can be slow and require the user to wait for a longer time.
Option 2 Send the IP phone to the end user. Phone Proxy Guidelines and Limitations This section includes the following topics: General Guidelines and Limitations Media Termination Address Guidelines and Limitations General Guidelines and Limitations The phone proxy has the following general limitations: Only one phone proxy instance can be configured on the ASA by using the phone-proxy command.
See the command reference for information about the phone-proxy command. See also Creating the Phone Proxy Instance. The phone proxy only supports one Cisco UCM cluster. The phone proxy is not supported when the ASA is running in transparent mode or multiple context mode. When a remote IP phone calls an invalid internal or external extension, the phone proxy does not support playing the annunciator message from the Cisco UCM.
Instead, the remote IP phone plays a fast busy signal instead of the annunciator message "Your call cannot be completed See your Cisco Unified Communications Manager CallManager documentation for information about setting this configuration option.
Media Termination Address Guidelines and Limitations The phone proxy has the following limitations relating to configuring the media-termination address: When configuring the media-termination address, the phone proxy does not support having internal IP phones IP phones on the inside network being on a different network interface from the Cisco UCM unless the IP phones are forced to use the non-secure Security mode.
If you decide to configure a media-termination address on interfaces rather than using a global interface , you must configure a media-termination address on at least two interfaces the inside and an outside interface before applying the phone-proxy service policy.
The phone proxy can use only one type of media termination instance at a time; for example, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. Step 6 While configuring the phone proxy instance in the Phone Proxy Configuration mode , enter the following command to configure the mode of the cluster to be mixed mode because the default is nonsecure: hostname config-phone-proxy cluster-mode mixed Step 7 Enable the phone proxy y with SIP and Skinny inspection.
Step 3 hostname config-ca-trustpoint enrollment self Generates a self-signed certificate. Step 5 hostname config-ca-trustpoint exit Exits from the Configure Trustpoint mode.
What to Do Next Once you have created the trustpoints and generated the certificates, create the CTL file for the phone proxy. Step 5 hostname config-ctl-file no shutdown Creates the CTL file. Step 6 hostname config copy running-configuration startup-configuration Saves the certificate configuration to Flash memory.
What to Do Next When using an existing CTL file to configure the phone proxy, you can add additional entries to the file as necessary. Step 4 hostname config-ca-trustpoint proxy-ldc-issuer Defines the local CA role for the trustpoint to issue dynamic certificates for the TLS proxy. Step 6 hostname config-ca-trustpoint subject-name X.
Step 13 hostname config-tlsp client cipher-suite cipher-suite Example: hostname config-tlsp client cipher-suite aessha1 aessha1 Specifies the cipher suite. Step 14 Exports the local CA certificate and installs it as a trusted certificate on the Cisco Unified Communications Manager server by performing one of the following actions.
Creating the Media Termination Instance Create the media termination instance that you will use in the phone proxy. Step 3 Optional hostname config-media-termination rtp-min-port port1 rtp-max-port port2 Example: hostname config-media-termination rtp-min-port rtp-maxport Specifies the minimum and maximum values for the RTP port range for the media termination instance.
What To Do Next Once you have created the media termination instance, create the phone proxy instance. Creating the Phone Proxy Instance Create the phone proxy instance. Step 8 hostname config-phone-proxy no disable service-settings Optional Preserve the settings configured on the Cisco UCM for each IP phone configured. Prerequisites You must have already created the phone proxy instance. Step 2 hostname config-cmap match port tcp eq Matches the TCP port to which you want to apply actions for secure Skinny inspection.
Step 3 hostname config-cmap exit Exits from the Class Map configuration mode. Step 5 hostname config-cmap match port tcp eq Matches the TCP port to which you want to apply actions for secure SIP inspection Step 6 hostname config-cmap exit Exits from the Class Map configuration mode. Step 12 hostname config-pmap-c exit Exits from Policy Map configuration mode.
Linksys Routers Step 1 From your web browser, connect to the router administrative web page. UDP out To show the configured service policies. Data like the following displays: RxType: G. Under Security mode, make sure the IP phone is set to Encrypted. In the trustlist, verify the following: — Make sure that there is an entry for each entity that the IP phone will need to contact. The device information appears in the page.
In the Device Logs section in the left pane, click Console Logs. PP: Beginning of element tag is missing, got! The following error appears in the debug output debug phone-proxy tftp : PP: PP: error parsing config file PP: Error modifying config file, dropping packet Solution The phone proxy should parse only the IP phone configuration file.
Perform the following actions to troubleshoot this problem: Step 1 Reboot the IP phone. The following errors appear in the debug output debug phone-proxy tftp : PP: Client outside When the IP phone does not request a signed file, the following error appears in the debug output debug phone-proxy tftp errors : Error: phone requesting for unsigned config file Solution Most likely, this error occurs because the IP phone has not successfully installed the CTL file from the ASA.
Enter the following command to determine if the media-termination address in the phone proxy configuration is set correctly: hostname config show running-config all phone-proxy! Enable logging with the following command: hostname config logging buffered debugging b. To check the output from the syslogs captured by the logging buffered command, enter the following command: hostname show logging The syslogs will contain information showing when the IP phone is attempting the TLS handshake, which happens after the IP phone downloads its configuration file.
Step 2 Determine if the TLS proxy is configured correctly for the phone proxy: a. Determine which certificates are installed on the ASA by entering the following command: hostname show running-config crypto Additionally, determine which certificates are installed on the IP phones. No suitable trustpoint was found to validate chain. Step 1 Determine which certificates are installed on the ASA by entering the following command: hostname show running-config crypto Additionally, determine which certificates are installed on the IP phones.
Set the correct ciphers by completing the following procedure: Step 1 To see the ciphers being used by the phone proxy, enter the following command: hostname show run all ssl Step 2 To add the required ciphers, enter the following command: hostname config ssl encryption The default is to have all algorithms available in the following order: [3des-sha1] [des-sha1] [rc4-md5] [possibly others] See the command reference for more information about setting ciphers with the ssl encryption command.
Entering the show logging asdm command, displayed the following errors: 3 Jun 19 Certificate validation failed. Two interfaces cannot be in the same subnet. Media Failure for a Voice Call Problem The call signaling completes but there is one way audio or no audio. Solution Problems with one way or no audio might be caused by issues with media termination. Enter the following command to determine if the media-termination address in the phone proxy configuration is set correctly: hostname config show running-config all phone-proxy asa2 config show running-config all phone-proxy!
Base license: 3 one restricted Which realistically means 2. Released in The model comes in two separate licenses. These licenses are the base and the security plus. However, the security plus license has additional features. For example, a small business with 15 employees may start out with a Cisco ASA with a The problem I encounter is that it's easy to find the price for such an upgrade license.
For example, the CA Manufacturer certificate is required by the phone proxy to validate the IP phone certificate. If the phone proxy is deployed behind an existing firewall, access-list rules to permit signaling, TFTP requests, and media traffic to the phone proxy must be configured. Table lists the ports that are required to be configured on the existing firewall:.
Table Port Configuration Requirements. These are the default values and should be modified if they are modified on the Cisco UCM. This default value should be modified if it is modified on the Cisco UCM.
PAT Prerequisites. Reconfiguring the port might be necessary when the phone proxy deployment has more than one Cisco UCM and they must share the interface IP address or a global IP address. Note Both PAT configurations—for the nonsecure and secure ports—must be configured. See the following example topology for information about how to correctly set the IP address:. In this example topology, the following IP address are set:.
For example, if the static statements for the Cisco UCM are as follows:. To add the null-shal cipher, use the show run all ssl command to see the output for the ssl encryption command and add null-shal to the end of the SSL encryption list.
See the command reference for information about using the police command. When traffic exceeds the maximum rate, the ASA drops the excess traffic.
Policing also sets the largest single burst of traffic allowed. The following example describes how you configure rate limiting for TFTP requests by using the police command and the Modular Policy Framework. Begin by determining the conformance rate that is required for the phone proxy. To determine the conformance rate, use the following formula:. To control which hosts can ping the media termination address, create an ICMP rule.
The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. Stage the IP phones at corporate headquarters before sending them to the end users:. Send the IP phone to the end user.
The phone proxy has the following general limitations:. The phone proxy has the following limitations relating to configuring the media-termination address:. If the Cisco UMC and the internal IP phones must be on different network interfaces, you must add routes for the internal IP phones to access the network interface of the media-termination address where Cisco UMC resides. When the phone proxy is configured to use a global media-termination address, all IP phones see the same global address, which is a public routable address.
Note This feature is not supported for the Adaptive Security Appliance version 8. Configuring the Phone Proxy requires the following steps:. Step 1: Create the CTL file. Step 3: Create the Phone Proxy instance. Step 4: Configure the media termination address for the Phone Proxy. See Creating the Media Termination Instance. Additionally, once a Phone Proxy is applied to a service policy rule, the Phone Proxy cannot be changed or removed.
Specify the certificates needed by creating a new CTL file or by specifying the path of an exiting CTL file to parse from Flash memory. The certificates are used in creating the CTL file. The Add Record Entry dialog box opens.
The default is 2. This key can be generated on the ASA. A SAST is created as a self-signed certificate. In case a SAST is not recoverable, the other one can be used to sign the file later. Note You can edit an entry in the CTL file by using the Edit Record Entry dialog box; however, changing a setting in this dialog box does not change related settings for the phone proxy. For example, editing the IP address for the CUCM or TFTP servers in this dialog changes the setting only in the CTL file and does not change the actual addresses of those servers or update the address translations required by the phone proxy.
To modify CTL file settings, we strongly recommend you re-run the Unified Communications Wizard to edit CTL file settings and ensure proper synchronization with all phone proxy settings. Add additional record-entry configurations for each entity that is required in the CTL file. Step 3 In the Type field, specify the type of trustpoint to create:. Step 4 In the Host field, specify the IP address of the trustpoint. You can create a new Identity Certificate by clicking Manage. The Manage Identify Certificates dialog box opens.
Choose the best option based on the requirements for configuring the CTL file. The domain name should be configured when the FQDN is not configured for the trustpoint.
Only one domain-name can be specified. Add an entry for each of the outside interfaces on the ASA into your DNS server, if such entries are not already present.
Create the media termination instance that you will use in the phone proxy. The media termination address you configure must meet the requirements as described in Media Termination Instance Prerequisites.
0コメント