EasyManuals Logo

Cisco 5510 - ASA SSL / IPsec VPN Edition Configuration Guide

Cisco 5510 - ASA SSL / IPsec VPN Edition
1822 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #958 background imageLoading...
Page #958 background image
43-8
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 43 Configuring the Cisco Phone Proxy
Prerequisites for the Phone Proxy
NAT and PAT Prerequisites
NAT Prerequisites
If NAT is configured for the TFTP server, the NAT configuration must be configured prior to
configuring the TFTP Server for the phone proxy.
If NAT is configured for the TFTP server or Cisco UCMs, the translated “global” address must be
used in the access lists.
PAT Prerequisites
When the Skinny inspection global port is configured to use a non-default port, then you must
configure the nonsecure port as the
global_sccp_port+443.
Therefore, if global_sccp_port is 7000, then the global secure SCCP port is 7443. Reconfiguring the
port might be necessary when the phone proxy deployment has more than one Cisco UCM and they
must share the interface IP address or a global IP address.
Note Both PAT configurations—for the nonsecure and secure ports—must be configured.
When the IP phones must contact the CAPF on the Cisco UCM and the Cisco UCM is configured
with static PAT (LCS provisioning is required), you must configure static PAT for the default CAPF
port 3804.
Prerequisites for IP Phones on Multiple Interfaces
When IP phones reside on multiple interfaces, the phone proxy configuration must have the correct IP
address set for the Cisco UCM in the CTL file.
See the following example topology for information about how to correctly set the IP address:
phones --- (dmz)-----|
|----- ASA PP --- (outside Internet) --- phones
phones --- (inside)--|
In this example topology, the following IP address are set:
Cisco UCM on the inside interface is set to 10.0.0.5
The DMZ network is 192.168.1.0/24
The inside network is 10.0.0.0/24
The Cisco UCM is mapped with different global IP addresses from DMZ > outside and inside interfaces
> outside interface.
In the CTL file, the Cisco UCM must have two entries because of the two different IP addresses. For
example, if the static statements for the Cisco UCM are as follows:
static (inside,outside) 128.106.254.2 10.0.0.5
static (inside,dmz) 192.168.1.2 10.0.0.5
There must be two CTL file record entries for the Cisco UCM:
record-entry cucm trustpoint cucm_in_to_out address 128.106.254.2
record-entry cucm trustpoint cucm_in_to_dmz address 192.168.1.2

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals