[cisco-voip] CUMA and ASA as Proxy

Voice Noob voicenoob at gmail.com
Wed Jul 8 09:34:15 EDT 2009 

I "think" I have everything setup. I have upgraded to 7.0(2) and all of my
enterprise adaptors work correctly. I have added users and my DNS entries
are correct. My problem seems to be with the ASA. I have port 9080 and 5443
configured for the external interface to forward to my CUMA server. I can
see the traffic from my phone come in on port 9080 but it just hangs. When I
connect internally to port 9080 to my internal IP of my CUMA server it
redirects me to a URL with port 9443. So it looks like it is trying to do
that on the outside but the ASA is blocking it I guess. I am sure this is
some type of inspect rule or something I don't have configured correctly on
the ASA. Here are some of configs



access-list Outside_access_in extended permit tcp any interface Outside eq
9080 log notifications
access-list Outside_access_in extended permit tcp any interface Outside eq
5443

access-list mmp_inspect extended permit tcp any any eq 5443
access-list mmp_inspect extended permit tcp any any eq 9080

static (Inside,Outside) tcp interface 5443 1.1.1.1 5443 netmask
255.255.255.255
static (Inside,Outside) tcp interface 9080 1.1.1.1 9080 netmask
255.255.255.255

access-group Outside_access_in in interface Outside


tls-proxy PROXYNAME
 server trust-point trustpoint-cuma-signed
 no server authenticate-client
 client trust-point trustpoint-asa-cuma-selfsigned
 client cipher-suite aes128-sha1 aes256-sha1

class-map cuma_proxy
 match access-list mmp_inspect
class-map inspection_default
 match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
  inspect icmp
  inspect http
  inspect mmp tls-proxy PROXYNAME
  inspect sip
 class cuma_proxy
  inspect mmp tls-proxy PROXYNAME
 class class-default
  set connection decrement-ttl


-----Original Message-----
From: Ryan Ratliff [mailto:rratliff at cisco.com] 
Sent: Thursday, July 02, 2009 8:41 AM
To: Voice Noob
Cc: 'Craig Staffin'; 'CiscosupportUpuck'
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

For lab purposes you *should* be able to get it to work.  It's not  
TAC supported but that really doesn't matter for a demo.  I also  
believe Verisign has temp cert you can get for free (but it has an  
expiration date).

Regarding the name, it needs to match whatever you populate in the  
external DNS, which should resolve to the ASA.
"Obtain the IP address and fully qualified domain name for the Proxy  
Host"
The proxy host is your ASA.

-Ryan

On Jul 2, 2009, at 9:32 AM, Voice Noob wrote:

I have a procedure on how to make the self signed certs work on my  
phone.
That is the least of my problems or concerns. If it does not work that's
fine but I have to try. We are only looking at a pilot of about two  
phones.
If we do a customer deployment we will have them get a correct cert.

In the below step do I create the cert using the name of my Cisco ASA  
or of
the name of my CUMA server?



http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_0/english/ 
install/guide
/cuma_70_IAG_02_ASA.html

For New Installations) How to Obtain and Import the Cisco Adaptive  
Security
Appliance-to-Client Certificate
This procedure is required unless you are upgrading from Release  
3.1.2 and
reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

.Generate a Certificate Signing Request

.Submit the Certificate Signing Request to the Certificate Authority

.Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request
Before You Begin

.Obtain the IP address and fully qualified domain name for the Proxy  
Host
Name as specified in Obtaining IP Addresses and DNS Names from IT,  
page 1-3.


.Determine required values for your company or organization name,
organizational unit, country, and state or province. See the table in
Creating Security Contexts, page 9-7. You must enter identical values  
in the
Cisco Adaptive Security Appliance and in the relevant security  
context in
Cisco Unified Mobility Advantage.

Procedure


------------------------------------------------------------------------ 
----
----

Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the  
prompt to
reappear.

Step 3 Create a trustpoint with the necessary information to generate  
the
certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage
server. Use the Fully Qualified Domain Name.>,OU=<organization unit
name>,O=<company or organization name as publicly registered>,C=<2  
letter
country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State
values, see the values you determined in the prerequisite for this
procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server.  
This
value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate
Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the
Cisco Unified Mobility Advantage server>,OU=<organization unit
name>,O=<organization name>,C=<2 letter country  
code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy  
Host
Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing  
Request and
paste it into a text file.

Include the following lines. Make sure that there are no extra spaces  
at the
end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.


------------------------------------------------------------------------ 
----
----

What To Do Next


-----Original Message-----
From: Craig Staffin [mailto:cmstaffin at gmail.com]
Sent: Wednesday, July 01, 2009 9:46 PM
To: Voice Noob
Cc: CiscosupportUpuck
Subject: Re: [cisco-voip] CUMA and ASA as Proxy

I am going through this battle right now

As far as self signed certs the response from the BU was that they are
completely not supported as mobile phones do not do certs "well".  In
other words if you can manage to get the CA of your domain onto your
phone it might work for a week or two but then it might fail.  The BU
states that you need to use a verisign cert or GEOTrust.

Let me know if you need more help.
On Jul 1, 2009, at 8:43 PM, Voice Noob wrote:

> Has anyone deployed CUMA 7.x using the ASA as the Proxy server? I am
> having a problem with the documentation on exactly how I setup the
> ASA and the certificate requests. I don't know if the name I should
> put into the requests is the CUMA server name or the hostname of my
> ASA.
>
> Also has anyone done this using slef signed certs with an internal
> CA? I don't think I can get this company to pay for a cert from
> Verisign or Geotrust. In fact I know I can't.
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list