Configuring the phone proxy – Cisco ASA 5505 User Manual

Page 996

Advertising
background image

48-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 48 Configuring the Cisco Phone Proxy

Configuring the Phone Proxy

Two SIP IP phones: both in non-secure mode

Two SCCP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in
authenticated mode, both in encrypted mode

Two SIP IP phones: one IP phone in authenticated mode and one in encrypted mode, both in
authenticated mode, both in encrypted mode

Two SCCP IP phones: both in non-secure mode

This limitation results from the way the application-redirect rules (rules that convert TLS to TCP)
are created for the IP phones.

Media Termination Address Guidelines and Limitations

The phone proxy has the following limitations relating to configuring the media-termination address:

When configuring the media-termination address, the phone proxy does not support having internal
IP phones (IP phones on the inside network) being on a different network interface from the Cisco
UCM unless the IP phones are forced to use the non-secure Security mode.

When internal IP phones are on a different network interface than the Cisco UCM, the IP phones
signalling sessions still go through ASA; however, the IP phone traffic does not go through the
phone proxy. Therefore, Cisco recommends that you deploy internal IP phones on the same network
interface as the Cisco UMC.

If the Cisco UMC and the internal IP phones must be on different network interfaces, you must add
routes for the internal IP phones to access the network interface of the media-termination address
where Cisco UMC resides.

When the phone proxy is configured to use a global media-termination address, all IP phones see
the same global address, which is a public routable address.

If you decide to configure a media-termination address on interfaces (rather than using a global
interface), you must configure a media-termination address on at least two interfaces (the inside and
an outside interface) before applying the phone-proxy service policy. Otherwise, you will receive an
error message when enabling the Phone Proxy with SIP and Skinny Inspection.

The phone proxy can use only one type of media termination instance at a time; for example, you
can configure a global media-termination address for all interfaces or configure a media-termination
address for different interfaces. However, you cannot use a global media-termination address and
media-termination addresses configured for each interface at the same time.

Configuring the Phone Proxy

This section includes the following topics:

Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster, page 48-15

Importing Certificates from the Cisco UCM, page 48-15

Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster, page 48-17

Creating Trustpoints and Generating Certificates, page 48-17

Creating the CTL File, page 48-18

Using an Existing CTL File, page 48-20

Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster, page 48-20

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals