Creating the tls proxy instance, Creating – Cisco ASA 5505 User Manual

Page 1080

Advertising
background image

51-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 51 Configuring Cisco Unified Presence

Configuring Cisco Unified Presence Proxy for SIP Federation

What to Do Next

Once you have created the trustpoints and installed the certificates for the local and remote entities on
the ASA, create the TLS proxy instance. See

Creating the TLS Proxy Instance, page 51-12

.

Creating the TLS Proxy Instance

Because either server can initiate the TLS handshake (unlike IP Telephony or Cisco Unified Mobility,
where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules.
Each enterprise can have an ASA as the TLS proxy.

Create TLS proxy instances for the local and remote entity initiated connections respectively. The entity
that initiates the TLS connection is in the role of “TLS client”. Because the TLS proxy has a strict
definition of “client” and “server” proxy, two TLS proxy instances must be defined if either of the
entities could initiate the connection.

Command

Purpose

Step 1

! Local entity to remote entity

hostname(config)# tls-proxy proxy_name

Example:

hostname(config)# tls-proxy ent_x_to_y

Creates the TLS proxy instance.

Step 2

hostname(config-tlsp)# server trust-point proxy_name

Example:

hostname(config-tlsp)# server trust-point

ent_y_proxy

Specifies the proxy trustpoint certificate presented
during TLS handshake.

The certificate must be owned by the ASA (identity
certificate).

Where the proxy_name for the server trust-point
command is the remote entity proxy name.

Step 3

hostname(config-tlsp)# client trust-point

proxy_trustpoint

Example:

hostname(config-tlsp)# client trust-point

ent_x_proxy

Specifies the trustpoint and associated certificate
that the ASA uses in the TLS handshake when the
ASA assumes the role of the TLS client.

The certificate must be owned by the ASA (identity
certificate).

Where the proxy_trustpoint for the client
trust-point
command is the local entity proxy.

Step 4

hostname(config-tlsp)# client cipher-suite

cipher_suite

Example:

hostname(config-tlsp)# client cipher-suite

aes128-sha1 aes256-sha1 3des-sha1 null-sha1

Specifies cipher suite configuration.

For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite.

Step 5

! Remote entity to local entity

hostname(config)# tls-proxy proxy_name

Example:

tls-proxy ent_y_to_x

Creates the TLS proxy instance.

Step 6

hostname(config-tlsp)# server trust-point proxy_name

Example:

hostname(config-tlsp)# server trust-point

ent_x_proxy

Specifies the proxy trustpoint certificate presented
during TLS handshake.

Where the proxy_name for the server trust-point
command is the local entity proxy name

Advertising