Dane,<br><br>I'm not an expert (or even proficient) in the ASA portion of this product. I've talked with some of my firewall friends about this recently though and here's what I heard:<br><br>- The nat control command shouldn't be in the document<br>
<br>In regards to Hairpinning - it may not work for two reasons:<br><br>- The traffic is encrypted, so performing NAT elsewhere could break the inherent proxy IP address embedded in the communication between handheld and ASA<br>
<br>- Hairpinning might not work with the inspection engine<br><br>No one I know has tried this setup, it might not work, and it probably wouldn't be supported by Cisco if you can make it work.<br><br>I'd say it would be better to have a public IP on an ASA running NAT to avoid the previous hurdles. <br>
<br>That is unless of course you have handhelds that do WLAN, in which case you can make everything internal and nat from one internal network to another.<br><br>It would be best to pass traffic through the ASA in one interface and out another to avoid complications. If you do try other configs though it would be interesting to hear your results.<br>
<br>- Jason<br><br><br><div class="gmail_quote">On Mon, Oct 26, 2009 at 5:52 PM, Dane Newman <span dir="ltr"><<a href="mailto:dane.newman@gmail.com">dane.newman@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Thanks so much for the answers Jason.</div>
<div> </div>
<div>Regarding my first question</div>
<div> </div>
<div>I suppose I should have said that I would nat a public address to the interface hanging off the dmz. My question could have been phrased alot better asking if the asa could hair pin that traffic coming from one interface back out it and then proxy it to the cuma. I see in the example config from cisco nat control was turned on. I see in all the examples from cisco traffic was always flowing through the asa. </div>
<div> </div>
<div>So to sum it up I would imagion the flow to be mobile phones connect to the public dns record that static nats to a Public IP with an ISR router sitting infront of the internet connection. The asa would be behind the router with an rfc 1918 address with one interface connected to a dmz network. Could traffic then hair pin in that interface and be proxied to the cuma in the trusted network?</div>
<div> </div>
<div>Thanks so much again Jason</div>
<div> </div><font color="#888888">
<div> </div>
<div>Dane<br><br></div></font><div><div></div><div class="h5">
<div class="gmail_quote">On Mon, Oct 26, 2009 at 5:45 PM, Jason Burns <span dir="ltr"><<a href="mailto:burns.jason@gmail.com" target="_blank">burns.jason@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;" class="gmail_quote">Dane,<br><br>Regarding your first question:
<div><br><br>Traffic does not have to flow through the asa just to it and then it will proxy the info correct? Meaning I don't have to put the asa facing my internet connection it can just be a host with a private address.<br>
<br></div>You provision the phone to connect to the DNS Domain Name of the ASA Interface. The DNS Domain Name must resolve to the IP of the outside ASA interface. The certificate must be for this DNS name. If your phones have wireless connections (besides cellular) you could provision an internal IP and DNS domain name for the ASA's outside interface. If your phones must use the cell provider's data connection then you must have a public (Internet) facing ASA interface as well as a fully resolving domain name and matching certificate for that name.<br>
<br>Regarding the second question:
<div><br><br>Can I use a self signed certificate with the iphone client for test? Do I have to purchase a trusted root one? If so it referances verisign or geotrust. Would a cheaper vendor like godaddy for 30 bucks a year work?<br>
<br></div>The reason Cisco supports only Geotrust and Verisign is that the ASA needs to present a certificate that your cell phone can trust. We can only guarantee that at a minimum the Geotrust and Verisign root certs will come preloaded on your phone.<br>
<br>If you can get the root cert for GoDaddy uploaded to your cell phone then there is nothing to stop you from using that on your ASA. Cisco will not support the process of loading root certificates into different cell phones though, so you'd be on your own for figuring out if that is possible for your model of phone.<br>
<br>Hope this helps.<br><br>Jason<br><br><br>
<div class="gmail_quote">
<div>
<div></div>
<div>On Sun, Oct 25, 2009 at 10:32 AM, Dane Newman <span dir="ltr"><<a href="mailto:dane.newman@gmail.com" target="_blank">dane.newman@gmail.com</a>></span> wrote:<br></div></div>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
<div>
<div></div>
<div>
<div>Hello</div>
<div> </div>
<div>I want to test unified monility advantage in a lab and I was curious about the certificate requirements. I am able to run my asa on vmware esxi and hang it off my dmz. Traffic does not have to flow through the asa just to it and then it will proxy the info correct? Meaning I don't have to put the asa facing my internet connection it can just be a host with a private address.</div>
<div> </div>
<div> </div>
<div>Also</div>
<div> </div>
<div>I see one of the requirements is below. Can I use a self signed certificate with the iphone client for test? Do I have to purchase a trusted root one? If so it referances verisign or geotrust. Would a cheaper vendor like godaddy for 30 bucks a year work?</div>
<div> </div>
<div><a name="12492d65f9f69e7c_12492cf37c7d4034_1248c20be7afc067_Certificate_Requirements"></a><a name="12492d65f9f69e7c_12492cf37c7d4034_1248c20be7afc067_wp82682"></a><a name="12492d65f9f69e7c_12492cf37c7d4034_1248c20be7afc067_wpxref62219"></a>
<h3>Certificate Requirements </h3><a name="12492d65f9f69e7c_12492cf37c7d4034_1248c20be7afc067_wp82686"></a>
<p>The Cisco Adaptive Security Appliance requires a signed certificate from VeriSign or GeoTrust. These certificates are supported because they are generally available on all mobile devices. </p></div><br></div></div>_______________________________________________<br>
cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></blockquote></div><br>
</div></div></blockquote></div><br>