Enabling the tls proxy for mmp inspection – Cisco ASA 5505 User Manual

50-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 50 Configuring Cisco Mobility Advantage

Configuring Cisco Mobility Advantage

What to Do Next

Once you have created the TLS proxy instance, enable it for MMP inspection. See

Enabling the TLS

Proxy for MMP Inspection, page 50-9

.

Enabling the TLS Proxy for MMP Inspection

Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes
it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint. The inspect
MMP module verifies the integrity of the MMP headers and passes the OML/HTTP to an appropriate
handler.

Step 3

hostname(config-tlsp)# client trust-point proxy_name

Example:

hostname(config-tlsp)# client trust-point cuma_proxy

Specifies the trustpoint and associated certificate
that the ASA uses in the TLS handshake when the
ASA assumes the role of the TLS client.

The certificate must be owned by the ASA (identity
certificate).

Step 4

hostname(config-tlsp)# no server authenticate-client

Disables client authentication.

Disabling TLS client authentication is required
when the ASA must interoperate with a Cisco UMA
client or clients such as a Web browser that are
incapable of sending a client certificate.

Step 5

hostname(config-tlsp)# client cipher-suite

cipher_suite

Example:

hostname(config-tlsp)# client cipher-suite

aes128-sha1 aes256-sha1

Specifies cipher suite configuration.

For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite.

Command

Purpose

Command

Purpose

Step 1

hostname(config)# class-map class_map_name

Example:

hostname(config)# class-map cuma_tlsproxy

Configures the class of traffic to inspect. Traffic
between the Cisco UMA server and client uses MMP
and is handled by MMP inspection.

Where class_map_name is the name of the MMP
class map.

Step 2

hostname(config-cmap)# match port tcp eq port

Example:

hostname(config-cmap)# match port tcp eq 5443

Matches the TCP port to which you want to apply
actions for MMP inspection.

The TCP/TLS default port for MMP inspection is
5443.

Step 3

hostname(config-cmap)# exit

Exits from the Class Map configuration mode.

Step 4

hostname(config)# policy-map name

Example:

hostname(config)# policy-map global_policy

Configures the policy map and attaches the action to
the class of traffic.

Step 5

hostname(config-pmap)# class classmap-name

Example:

hostname(config-pmap)# class cuma_proxy

Assigns a class map to the policy map so that you
can assign actions to the class map traffic.

Where classmap_name is the name of the Skinny
class map.