Enabling the tls proxy instance for – Cisco ASA 5505 User Manual

Page 1049

Advertising
background image

49-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 49 Configuring the TLS Proxy for Encrypted Voice Inspection

Configuring the TLS Proxy for Encrypted Voice Inspection

What to Do Next

Once you have created TLS proxy instance, enable the TLS proxy instance for Skinny and SIP
inspection. See

Enabling the TLS Proxy Instance for Skinny or SIP Inspection, page 49-13

.

Enabling the TLS Proxy Instance for Skinny or SIP Inspection

Enable TLS proxy for the Cisco IP Phones and Cisco UCMs in Skinny or SIP inspection. The following
procedure shows how to enable the TLS proxy instance for Skinny inspection.

Command

Purpose

Step 1

hostname(config)# tls-proxy proxy_name

Example:

hostname(config)# tls-proxy my_proxy

Creates the TLS proxy instance.

Step 2

hostname(config-tlsp)# server trust-point

proxy_trustpoint

Example:

hostname(config-tlsp)# server trust-point ccm_proxy

Specifies the proxy trustpoint certificate to present
during TLS handshake.

The server command configures the proxy
parameters for the original TLS server. In other
words, the parameters for the ASA to act as the
server during a TLS handshake, or facing the
original TLS client.

Step 3

hostname(config-tlsp)# client ldc issuer ca_tp_name

Example:

hostname(config-tlsp)# client ldc issuer ldc_server

Sets the local dynamic certificate issuer. The local
CA to issue client dynamic certificates is defined by
the crypto ca trustpoint command and the
trustpoint must have proxy-ldc-issuer configured,
or the default local CA server
(LOCAL-CA-SERVER).

Where

ldc issuer

ca_tp_name

specifies the local

CA trustpoint to issue client dynamic certificates.

Step 4

hostname(config-tlsp)# client ldc key-pair key_label

Example:

hostname(config-tlsp)# client ldc key-pair

phone_common

Sets the keypair.

The keypair value must have been generated with the
crypto key generate command.

Step 5

hostname(config-tlsp)# client cipher-suite

cipher_suite

Example:

hostname(config-tlsp)# client cipher-suite

aes128-sha1 aes256-sha1

Sets the user-defined cipher suite.

For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite, or the one defined by the ssl
encryption command. You can use this command to
achieve difference ciphers between the two TLS
sessions. You should use AES ciphers with the
CallManager server.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals