Creating the tls proxy – Cisco ASA 5505 User Manual

52-24

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 52 Configuring Cisco Intercompany Media Engine Proxy

Configuring Cisco Intercompany Media Engine Proxy

Creating the TLS Proxy

Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS
handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS
handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the
TLS proxy.

Create TLS proxy instances for the local and remote entity initiated connections respectively. The entity
that initiates the TLS connection is in the role of “TLS client.” Because the TLS proxy has a strict
definition of “client” and “server” proxy, two TLS proxy instances must be defined if either of the
entities could initiate the connection.

The example command lines in this task are based on a basic (in-line) deployment. See

Figure 52-6 on

page 52-11

for an illustration explaining the example command lines in this task.

To create the TLS proxy, perform the following steps:

Command

Purpose

Step 1

hostname(config)# tls-proxy proxy_name

Example:

hostname(config)# tls-proxy local_to_remote-ent

Creates the TLS proxy for the outbound
connections.

Step 2

hostname(config-tlsp)# client trust-point

proxy_trustpoint

Example:

hostname(config-tlsp)# client trust-point local-ent

For outbound connections, specifies the trustpoint
and associated certificate that the adaptive security
appliance uses in the TLS handshake when the
adaptive security appliance assumes the role of the
TLS client. The certificate must be owned by the
adaptive security appliance (identity certificate).

Where proxy_trustpoint specifies the trustpoint
defined by the crypto ca trustpoint command in

Step 2

in

“Creating Trustpoints and Generating

Certificates” section on page 52-21

.

Step 3

hostname(config-tlsp)# client cipher-suite

cipher_suite

Example:

hostname(config-tlsp)# client cipher-suite

aes128-sha1 aes256-sha1 3des-sha1 null-sha1

For outbound connections, controls the TLS
handshake parameter for the cipher suite.

Where

cipher_suite

includes des-sha1, 3des-sha1,

aes128-sha1, aes256-sha1, or null-sha1.

For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite, or the one defined by the ssl
encryption command. Use this command to achieve
difference ciphers between the two TLS sessions.
You should use AES ciphers with the Cisco UCM
server.

Step 4

hostname(config-tlsp)# exit

Exits from the TLS proxy configuration mode.

Step 5

hostname(config)# tls-proxy proxy_name

Example:

hostname(config)# tls-proxy remote_to_local-ent

Create the TLS proxy for inbound connections.