angryciscoguy

So, I am seeing a lot of Cisco phone proxy installs lately and thought I’d put together a quick cheat sheet for the configuration that you will see in 99% of your installs. This of course is where you are not encrypting voice on the internal side so no fancy CAPF CTL to CM junk. The config is actually rather basic in this scenario (when you know what you are doing and understand the components involved).

Prerequisites:

• ASA 8.0.4 code release
• ASA already configured and working as basic firewall with inside and outside connectivity.
• A minimum of 2 Global (external) IP addresses for this feature
• Basic ASA configuration knowledge
• Basic Cisco Communications Manager knowledge
• > 2 working braincells

IP Configuration:

• Internal CM address    192.168.1.1 (required)
• Internal CM address    192.168.1.2 (optional)
• External TFTP Address #1  1.1.1.1 (required)
• External TFTP Address #2  2.2.2.2 (optional)
• External Media Address 3.3.3.3 (required and must be dedicated to this feature)
• External phones must be pointing to external TFTP IP address(es) as configured by ASA.

Config:

Below configuration includes the extra input as required. A show run will not show all these commands and will additionally show  auto generated configurations that are part of this config but not seen below. (for more details, see prerequisite #4 and #6). Additionally this config does not show you how to get the URL functions of the phone working (Enterprise Parameters setup in CM). That usually involves one of the 2 following configs: reverse http proxy to CM that you use to point the ip phones to (more secure, requires http reverse proxy server); pinhole in ASA (port forward) to point the external adddress ports to the internal http ports on the CM server (less secure).

So on to the ASA config…

(more…)

Metreos was purchased by Cisco not too long ago for a phone proxy appliance that sat in a DMZ to allow ip phones to register across the internet to your call manager (err communications manager) cluster without the use of any vpn appliance nor exposing your CM to the internet. Cisco rebranded the appliance an sold it for short period of time as the Cisco Unified Phone Proxy. August saw the release of ASA code 8.04 which now includes this functionality and replaces this appliance. This is a licensed feature that you purchase per the number of proxy’ed connections you require, however ASA allows 2 connections for testing without any additional licensing.  Alternatively you can purchase a secure cm bundle that includes the asa and proxy licenses along with cm. The license is called “UC Proxy Session”. It’s notable that even the lowend IP Base version ASA 5505 has this functionality of which I am using to test this out myself.

To configure this, simply head to your asdm and navigate to Configuration/Advanced/Encrypted-Traffic-Inspection/Phone-Proxy and run through the fields. It’s very straight forward. For those looking to go cli or want more details, navigate here for the official documentation.