Creating trustpoints and generating certificates – Cisco ASA 5505 User Manual

Page 1077

Advertising
background image

51-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 51 Configuring Cisco Unified Presence

Configuring Cisco Unified Presence Proxy for SIP Federation

Creating the TLS Proxy Instance, page 51-12

Enabling the TLS Proxy for SIP Inspection, page 51-13

Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP
Federation

To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where
there is a single Cisco UP that is in the local domain and self-signed certificates are used between the
Cisco UP and the ASA (like the scenario shown in

Figure 51-1

), perform the following tasks.

Step 1

Create the following static NAT for the local domain containing the Cisco UP.

For the inbound connection to the local domain containing the Cisco UP, create static PAT by entering
the following command:

hostname(config)# object network name

hostname(config-network-object)# host real_ip

hostname(config-network-object)# nat (real_ifc,mapped_ifc) static mapped_ip service {tcp |

udp

} real_port mapped_port

Note

For each Cisco UP that could initiate a connection (by sending SIP SUBSCRIBE) to the foreign
server, you must also configure static PAT by using a different set of PAT ports.

For outbound connections or the TLS handshake, use dynamic NAT or PAT. The ASA SIP inspection
engine takes care of the necessary translation (fixup).

hostname(config)# object network name

hostname(config-network-object)# subnet real_ip netmask

hostname(config-network-object)# nat (real_ifc,mapped_ifc) dynamic mapped_ip

For information about configuring NAT and PAT for the Cisco Presence Federation proxy, see

Chapter 30, “Configuring Network Object NAT”

and

Chapter 31, “Configuring Twice NAT”

.

Step 2

Create the necessary RSA keypairs and proxy certificate, which is a self-signed certificate, for the
remote entity. See

Creating Trustpoints and Generating Certificates, page 51-9

.

Step 3

Install the certificates. See

Installing Certificates, page 51-10

.

Step 4

Create the TLS proxy instance for the Cisco UP clients connecting to the Cisco UP server. See

Creating

the TLS Proxy Instance, page 51-12

.

Step 5

Enable the TLS proxy for SIP inspection. See

Enabling the TLS Proxy for SIP Inspection, page 51-13

.

Creating Trustpoints and Generating Certificates

You need to generate the keypair for the certificate (such as

cup_proxy_key

) used by the ASA, and

configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as

cup_proxy

) in the TLS handshake.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals