«
»

Cisco ASA Phone Proxy Configuration

June 21st, 2009
1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 4.67 out of 5)
Loading ... Loading ...

So, I am seeing a lot of Cisco phone proxy installs lately and thought I’d put together a quick cheat sheet for the configuration that you will see in 99% of your installs. This of course is where you are not encrypting voice on the internal side so no fancy CAPF CTL to CM junk. The config is actually rather basic in this scenario (when you know what you are doing and understand the components involved).

Prerequisites:

  • ASA 8.0.4 code release
  • ASA already configured and working as basic firewall with inside and outside connectivity.
  • A minimum of 2 Global (external) IP addresses for this feature
  • Basic ASA configuration knowledge
  • Basic Cisco Communications Manager knowledge
  • > 2 working braincells

IP Configuration:

  • Internal CM address    192.168.1.1 (required)
  • Internal CM address    192.168.1.2 (optional)
  • External TFTP Address #1  1.1.1.1 (required)
  • External TFTP Address #2  2.2.2.2 (optional)
  • External Media Address 3.3.3.3 (required and must be dedicated to this feature)
  • External phones must be pointing to external TFTP IP address(es) as configured by ASA.

Config:

Below configuration includes the extra input as required. A show run will not show all these commands and will additionally show  auto generated configurations that are part of this config but not seen below. (for more details, see prerequisite #4 and #6). Additionally this config does not show you how to get the URL functions of the phone working (Enterprise Parameters setup in CM). That usually involves one of the 2 following configs: reverse http proxy to CM that you use to point the ip phones to (more secure, requires http reverse proxy server); pinhole in ASA (port forward) to point the external adddress ports to the internal http ports on the CM server (less secure).

So on to the ASA config…

Create static maps and access list for TFTP to CM(s). This will need to be added to current asa firewall configuration and should not typically be used line for line.

static (inside,outside) 1.1.1.1 192.168.1.1
static (inside,outside) 2.2.2.2 192.168.1.2
access-list pp extended permit udp any host 1.1.1.1 eq 69
access-list pp extended permit udp any host 2.2.2.2 eq 69
access-group pp in interface outside

Validate that SSL 3DES is enabled (should be on by default if 3des license is installed when the IOS is initially loaded.)

ssl encryption 3des-sha1 des-sha1 rc4-md5 aes256-sha1 aes128-sha1 null-sha1 rc4-sha1

Generate rsa keypair

crypto key generate rsa label proxy_key modulus 1024

Generate CA Trustpoint (1 Pub 1 Sub)

crypto ca trustpoint pp_pub_trustpoint
enrollment self
keypair proxy_key
crypto ca enroll phoneproxy_trustpoint
no
yes

crypto ca trustpoint pp_sub_trustpoint
enrollment self
keypair proxy_key
crypto ca enroll phoneproxy_trustpoint
no
yes

Add the 3 Manufacturer Installed Certs to ASA (MIC). These are the certs you will use for all configurations and can be copied and pasted as is.

crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
exit
crypto ca authenticate CAP-RTP-001_trustpoint
—–BEGIN CERTIFICATE—–
MIIDqDCCApCgAwIBAgIQdhL5YBU9b59OQiAgMrcjVjANBgkqhkiG9w0BAQUFADAu
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMTAe
Fw0wMzAyMDYyMzI3MTNaFw0yMzAyMDYyMzM2MzRaMC4xFjAUBgNVBAoTDUNpc2Nv
IFN5c3RlbXMxFDASBgNVBAMTC0NBUC1SVFAtMDAxMIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEArFW77Rjem4cJ/7yPLVCauDohwZZ/3qf0sJaWlLeAzBlq
Rj2lFlSij0ddkDtfEEo9VKmBOJsvx6xJlWJiuBwUMDhTRbsuJz+npkaGBXPOXJmN
Vd54qlpc/hQDfWlbrIFkCcYhHws7vwnPsLuy1Kw2L2cP0UXxYghSsx8H4vGqdPFQ
NnYy7aKJ43SvDFt4zn37n8jrvlRuz0×3mdbcBEdHbA825Yo7a8sk12tshMJ/YdMm
vny0pmDNZXmeHjqEgVO3UFUn6GVCO+K1y1dUU1qpYJNYtqLkqj7wgccGjsHdHr3a
U+bw1uLgSGsQnxMWeMaWo8+6hMxwlANPweufgZMaywIBA6OBwzCBwDALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6Rexgscfz6ypG270qSac
cK4FoJowbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovL2NhcC1ydHAtMDAxL0NlcnRF
bnJvbGwvQ0FQLVJUUC0wMDEuY3Jshi9maWxlOi8vXFxjYXAtcnRwLTAwMVxDZXJ0
RW5yb2xsXENBUC1SVFAtMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG
9w0BAQUFAAOCAQEAq2T96/YMMtw2Dw4QX+F1+g1XSrUCrNyjx7vtFaRDHyB+kobw
dwkpohfkzfTyYpJELzV1r+kMRoyuZ7oIqqccEroMDnnmeApc+BRGbDJqS1Zzk4OA
c6Ea7fm53nQRlcSPmUVLjDBzKYDNbnEjizptaIC5fgB/S9S6C1q0YpTZFn5tjUjy
WXzeYSXPrcxb0UH7IQJ1ogpONAAUKLoPaZU7tVDSH3hD4+VjmLyysaLUhksGFrrN
phzZrsVVilK17qpqCPllKLGAS4fSbkruq3r/6S/SpXS6/gAoljBKixP7ZW2PxgCU
1aU9cURLPO95NDOFN3jBk3Sips7cVidcogowPQ==
—–END CERTIFICATE—–
quit
yes
crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
exit
crypto ca authenticate CAP-RTP-002_trustpoint
—–BEGIN CERTIFICATE—–
MIIDqDCCApCgAwIBAgIQNT+yS9cPFKNGwfOprHJWdTANBgkqhkiG9w0BAQUFADAu
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRQwEgYDVQQDEwtDQVAtUlRQLTAwMjAe
Fw0wMzEwMTAyMDE4NDlaFw0yMzEwMTAyMDI3MzdaMC4xFjAUBgNVBAoTDUNpc2Nv
IFN5c3RlbXMxFDASBgNVBAMTC0NBUC1SVFAtMDAyMIIBIDANBgkqhkiG9w0BAQEF
AAOCAQ0AMIIBCAKCAQEAxCZlBK19w/2NZVVvpjCPrpW1cCY7V1q9lhzI85RZZdnQ
2M4CufgIzNa3zYxGJIAYeFfcRECnMB3f5A+x7xNiEuzE87UPvK+7S80uWCY0Uhtl
AVVf5NQgZ3YDNoNXg5MmONb8lT86F55EZyVac0XGne77TSIbIdejrTgYQXGP2MJx
Qhg+ZQlGFDRzbHfM84Duv2Msez+l+SqmqO80kIckqE9Nr3/XCSj1hXZNNVg8D+mv
Hth2P6KZqAKXAAStGRLSZX3jNbS8tveJ3Gi5+sj9+F6KKK2PD0iDwHcRKkcUHb7g
lI++U/5nswjUDIAph715Ds2rn9ehkMGipGLF8kpuCwIBA6OBwzCBwDALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUpIr4ojuLgmKTn5wLFal
mrTUm5YwbwYDVR0fBGgwZjBkoGKgYIYtaHR0cDovL2NhcC1ydHAtMDAyL0NlcnRF
bnJvbGwvQ0FQLVJUUC0wMDIuY3Jshi9maWxlOi8vXFxjYXAtcnRwLTAwMlxDZXJ0
RW5yb2xsXENBUC1SVFAtMDAyLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG
9w0BAQUFAAOCAQEAVoOM78TaOtHqj7sVL/5u5VChlyvU168f0piJLNWip2vDRihm
E+DlXdwMS5JaqUtuaSd/m/xzxpcRJm4ZRRwPq6VeaiiQGkjFuZEe5jSKiSAK7eHg
tup4HP/ZfKSwPA40DlsGSYsKNMm3OmVOCQUMH02lPkS/eEQ9sIw6QS7uuHN4y4CJ
NPnRbpFRLw06hnStCZHtGpKEHnY213QOy3h/EWhbnp0MZ+hdr20FujSI6G1+L39l
aRjeD708f2fYoz9wnEpZbtn2Kzse3uhU1Ygq1D1×9yuPq388C18HWdmCj4OVTXux
V6Y47H1yv/GJM8FvdgvKlExbGTFnlHpPiaG9tQ==
—–END CERTIFICATE—–
quit
yes
crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
exit
crypto ca authenticate Cisco_Manufacturing_CA_trustpoint
—–BEGIN CERTIFICATE—–
MIIE2TCCA8GgAwIBAgIKamlnswAAAAAAAzANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMDUwNjEwMjIxNjAxWhcNMjkwNTE0MjAyNTQyWjA5MRYwFAYDVQQKEw1DaXNj
byBTeXN0ZW1zMR8wHQYDVQQDExZDaXNjbyBNYW51ZmFjdHVyaW5nIENBMIIBIDAN
BgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAoMX33JaUNRXx9JlOu5tB4X3beRaR
u/NU8kFKlDJiYskj95rnu5t56AcpTjD1rhvFIVZGsPj05o6BuBbMqJuF0kKB23zL
lKkRYRIcXOozIByaFqd925kGauI2r+z4Cv+YZwf0MO6l+IgaqujHPBzO7kj9zVw3
8YaTnj1xdX007ksUqcApewUQ74eeaTEw9Ug2P9irzhXi6FifPmJxBIcmpBViASWq
1d/JyVu4yaEHe75okpOTIKhsvRV100RdRUvsqNpgx9jI1cjtQeH1X1eOUzKTSdXZ
D/g2qgfEMkHFp68dGf/2c5k5WnNnYhM0DR9elXBSZBcG7FNcXNtq6jUAQQIBA6OC
AecwggHjMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNDFIiarT0Zg7K4F
kcfcWtGwR/dsMAsGA1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADAZBgkrBgEE
AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf
2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1
cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYB
BQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9j
cmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQIAMEMwQQYIKwYBBQUH
AgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9p
bmRleC5odG1sMF4GA1UdJQRXMFUGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH
AwUGCCsGAQUFBwMGBggrBgEFBQcDBwYKKwYBBAGCNwoDAQYKKwYBBAGCNxQCAQYJ
KwYBBAGCNxUGMA0GCSqGSIb3DQEBBQUAA4IBAQAw8zAtjPLKN0pkmSQpCvKGqkLV
I+ii6itvaSN6go4cTAnPpE+rhC836WVg0ZrG2PML9d7QJwBcbx2RvdFOWFEdyeP3
OOfTC9Fovo4ipUsG4eakqjN9GnW6JvNwxmEApcN5JlunGdGTjaubEBEpH6GC/f08
S25l3JNFBemvM2tnIwcGhiLa69yHz1khQhrpz3B1iOAkPV19TpY4gJfVb/Cbcdi6
YBmlsGGGrd1lZva5J6LuL2GbuqEwYf2+rDUU+bgtlwavw+9tzD0865XpgdOKXrbO
+nmka9eiV2TEP0zJ2+iC7AFm1BCIolblPFft6QKoSJFjB6thJksaE5/k3Npf
—–END CERTIFICATE—–
quit
yes

Create ASA CTL File. Add records for each callmanager that is exposed for external connections. Use “cucm-tftp” for devices that are both CM and TFTP. Use “cucm” or “tftp” for devices that only function as such. This example assumes both CMs are also running tftp.

ctl-file ctl_phoneproxy_file
record-entry cucm-tftp trustpoint pp_pub_trustpoint address 1.1.1.1
record-entry cucm-tftp trustpoint pp_sub_trustpoint address 2.2.2.2
no shutdown

Create TLS Proxy, reference ctl file.

tls-proxy ASA-tls-proxy
no server authenticate-client
server trust-point _internal_PP_ctl_phoneproxy_file

Create Phone Proxy. Specify single dedicated media-termination address and list of servers running tftp .

phone-proxy ASA-phone-proxy
media-termination address 3.3.3.3
tftp-server address 192.168.1.1 interface INSIDE
tftp-server address 192.168.1.2 interface INSIDE
tls-proxy ASA-tls-proxy
cipc security-mode authenticated
ctl-file ctl_phoneproxy_file
no disable service-settings

The following three sections will need to be added to any existing policies and typically should not be added line for line.

Create Class maps to match SIP and/or SCCP traffic

class-map sec_sip
match port tcp eq 5061
class-map sec_sccp
match port tcp eq 2443
class-map inspection_default
match default-inspection-traffic

Create Policy Map and assign inspectors

policy-map voice_policy
class sec_sccp
inspect skinny phone-proxy ASA-phone-proxy
class sec_sip
inspect sip phone-proxy ASA-phone-proxy

Assign service policy to outside interface.

service-policy voice_policy interface OUTSIDE

Diagnostics & Debugging:

This will show the status of the tls and phone proxy

show tls-proxy
show phone-proxy

This command will show if the phones are negotiationg the proxy on the outside. You should see mac adddress and IP of all the phones.

show phone-proxy secure-phones

This command will show phones that have sucessfully negotiated TLS proxy.

show tls-proxy sessions

This command will show the phones if they are registered with Call manager

show phone-proxy signaling-sessions

This command will show phones that are sending RTP through the proxy.

show phone-proxt media-sessions

This will show CA negotiation for certs.

debug crypto ca

This will show the tls negotiation

debug inspect tls-proxy

This will show you the appropriate negotiation. useful to verify if the TFTP files are getting downloaded.

debug phone-proxy (media/signaling/tftp)

For last ditch troubleshooting take a look at the syslog output. This has saved me on numerous occasions.

Tags:

This entry was posted on Sunday, June 21st, 2009 at 4:19 pm and is filed under ASA, CUPP, UCCM. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

15 Responses to “Cisco ASA Phone Proxy Configuration”

  1. pilotmike Says:
    August 23rd, 2009 at 8:50 pm

    Don’t forget your proxy-server command in your phone-proxy section of your ASA config (example: proxy-server 192.168.1.2 interface inside) or your corp directory or other web services on the phone will fail to work.

  2. CCIE Quest Says:
    November 24th, 2009 at 2:00 pm

    7 Easy Steps to setup Cisco ASA Phone Proxy…

    Phone Proxy is a superset of TLS proxy where not only signaling but also media is secured for communication.It supports a Cisco UCM cluster in mixed mode or nonsecure mode.Configuration that i will show here will have UCM cluster in non-secure mode.TL…

  3. david Says:
    February 26th, 2010 at 4:17 pm

    Is there a way to make this redundant with another ASA setup at another site?

  4. Angry Cisco Guy Says:
    February 26th, 2010 at 11:15 pm

    yes, a second asa can be used to make this redundant. Just be advised that you need to duplicate all the licensing. You would specify an alternate tftp server on the external ip phone that is assigned to the second asa.

  5. tim Says:
    March 1st, 2010 at 4:42 pm

    Is the phone proxy included in every ASA, or need to purchase separately..

  6. Angry Cisco Guy Says:
    March 1st, 2010 at 8:35 pm

    It’s licensed per session. Licenses for 2 phone proxy sessions are included with every asa that is running the newest firmware. Additional sessions can be purchased through additional licensing. Again be sure to review the session caveats if looking for redundancy in cm servers or asa as that can double or quadruple the license count per device.

  7. Issac Maez Says:
    March 6th, 2010 at 1:30 am

    Thanks for this post, answers a bunch of questions I was having.

  8. Tim Says:
    March 7th, 2010 at 12:12 am

    I’m stuck here:

    ctl-file ctl_phoneproxy_file

    Is not taking the ctl-file command, the only options for ctl I have is ctl-provider…

    Anyone ?

    Thx
    Tim

  9. Angry Cisco Guy Says:
    March 7th, 2010 at 7:34 pm

    Make sure you are running the same asa version as specified in the example. If you are running the newer 8.2 version of ASA the commands have slightly changed.

  10. tim Says:
    March 7th, 2010 at 7:39 pm

    Actually I am using the 8.2 version.. I’ll downgrade to 8.0.4..

    Thanks

  11. Tim Says:
    March 7th, 2010 at 8:35 pm

    It seems I can;t get it straight.. It must be long hours of trying this ..

    asa(config-ca-trustpoint)# crypto ca enroll phoneproxy_trustpoint
    ERROR: CA server trustpoint ‘phoneproxy_trustpoint’ is not known.
    asa(config)#

  12. Tim Says:
    March 7th, 2010 at 9:10 pm

    Nahh this thing isn;t going for me well..

  13. Steve Says:
    March 22nd, 2010 at 4:34 pm

    Finally got the Services/Directory/Ext Mob working after searching high and low, in the end resorted to trial and error…

    My Setup
    CUCM Internal IP: 192.168.31.5
    CUCM External IP: 1.2.3.4

    This is what worked for me.
    proxy-server 1.2.3.4 interface inside

    So that is the external IP combined with the internal interface.

    Hope this helps someone.

  14. Mike Says:
    July 23rd, 2010 at 7:09 pm

    FYI,
    Cisco does not publish this little fact anywhere but you can’t setup a second ASA when you are using the local CA. It’s the first thing that fails when you try to setup your redundant ASA. I went back and forth with TAC until they finally found an internal email that stated this will not work and they have no plans of fixing. You can do it but you have to use 3rd party certs.

  15. Cornloaf Says:
    August 16th, 2010 at 7:02 am

    Wow… I have succesfully setup the ASA Phone Proxy so many times for clients but I was having a heck of a time when trying to set it up for my own network. I was configuring it on my ASA5510 running 8.2 code and for some reason the phones would get all the firmware files, download the CTL file, and then just sit on “registering”. Sometimes they would reboot and download all the files again. I had all the commands in notepad to quickly remove every trace of Phone Proxy and then I would start all over (via ASDM and CLI) and it would fail. I came across your site and looked over all your lines of config thinking to myself “yeah… yeah… did that… yeah… pfff… did that…” and then my brain told me to back up and look at one of your first lines :

    ssl encryption 3des-sha1 des-sha1 rc4-md5 aes256-sha1 aes128-sha1 null-sha1 rc4-sha1

    I entered the command and immediately my phone went to screensaver. It’s working! IT’S F’ING WORKING!

    No idea why my device did not have this command. It came directly from Cisco with 3DES already active. Anyway, thanks for posting this, it really saved me lots of time!

Leave a Reply