43-14
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 43 Configuring the Cisco Phone Proxy
Configuring the Phone Proxy
• Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 43-20
Task Flow for Configuring the Phone Proxy
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Configuring the Phone Proxy requires the following steps:
Step 1: Create the CTL file. See Creating the CTL File, page 43-14.
Step 2: Create the TLS Proxy instance to handle the encrypted signaling. See Adding a TLS Proxy
Instance, page 44-8.
Step 3: Create the Phone Proxy instance. See the “Creating the Phone Proxy Instance” section on
page 43-17.
Step 4: Configure the media termination address for the Phone Proxy. See Creating the Media
Termination Instance, page 43-16.
Note Before you enable SIP and Skinny inspection for the Phone Proxy (which is done by applying the Phone
Proxy to a service policy rule), the Phone Proxy must have an MTA instance, TLS Proxy, and CTL file
assigned to it before the Phone Proxy can be applied to a service policy. Additionally, once a Phone
Proxy is applied to a service policy rule, the Phone Proxy cannot be changed or removed.
Step 5: Enable the Phone Proxy with SIP and Skinny inspection. See SIP Inspection, page 38-23 and
Skinny (SCCP) Inspection, page 38-36.
Creating the CTL File
Create a Certificate Trust List (CTL) file that is required by the Phone Proxy. Specify the certificates
needed by creating a new CTL file or by specifying the path of an exiting CTL file to parse from Flash
memory.
Create trustpoints and generate certificates for each entity in the network (CUCM, CUCM and TFTP,
TFTP server, CAPF) that the IP phones must trust. The certificates are used in creating the CTL file. You
need to create trustpoints for each CUCM (primary and secondary if a secondary CUCM is used) and
TFTP server in the network. The trustpoints need to be in the CTL file for the phones to trust the CUCM.
Create the CTL File that will be presented to the IP phones during the TFTP. The address must be the
translated or global address of the TFTP server or CUCM if NAT is configured.
When the file is created, it creates an internal trustpoint used by the Phone Proxy to sign the TFTP files.
The trustpoint is named _internal_PP_ctl-instance_filename.
Note When a CTL file instance is assigned to the Phone Proxy, you cannot modify it in the CTL File pane and
the pane is disabled. To modify a CTL File that is assigned to the Phone Proxy, go to the Phone Proxy
pane (Configuration > Firewall > Unified Communications > Phone Proxy), and deselect the Use the
Certificate Trust List File generated by the CTL instance check box.
To Next Page
Loading...
Need help?
General
