topic Re: ASA Phone Proxy in Unified Communications Infrastructure

ASA Phone Proxy

joeharb — Tue, 19 Mar 2019 09:01:37 GMT

We are in the process of testing the ASA phone proxy. We are using a seperate ASA/Firewall for this, I can see the phone listed in the "show phone-proxy secure-phones" but tftp doesn't appear to be working. I am using a access-list according to documentation to prevent the traversal of the tftp traffic out our main firewall:

Here is a sample which does PAT outside for only traffic destined to the call manager on the inside.

PhoneProxyASA(config)#object-group service CUCM-PROXY-PORTS 
PhoneProxyASA(config-service)#service-object udp eq tftp 
                              service-object udp range 1024 65535 
                              service-object tcp eq 2443 
                              service-object tcp eq 5061 
                              service-object tcp eq 3804
 
PhoneProxyASA(config)#access-list cucm-traffic extended permit object-group 
CUCM-PROXY-PORTS any host 172.18.124.230 

PhoneProxyASA(config)#nat (outside) 55 access-list cucm-traffic outside
PhoneProxyASA(config)#global (inside) 55 interface 

My question is should the callmanager see this request coming from the inside interface of the ASA
or the public address of the phone.  I would expect it to the inside address of the ASA so the traffic
will traverse the ASA proxy.

Any help would be appreciated, I am in the process of setting up traces on the CallManager TFTP server.

Thanks,

Joe

Re: ASA Phone Proxy

jubetz — Thu, 02 Dec 2010 20:43:24 GMT

Hi Joe,

When you apply that configuration, the phones' traffic will look like the ASA's inside IP address.

Make sure you're access-list is written correctly. You have to match the translated IP address on the outside interface.

Do a packet-tracer for an incoming TFTP packet on the outside to see if you're hitting the expected source nat rule.

HTH,

-jb

Re: ASA Phone Proxy

joeharb — Thu, 02 Dec 2010 20:49:14 GMT

I have reverted to a global pat and it appears this helped for testing purposes. Now I see the request coming from the inside address of the ASA to the CallManager. I am now seeing a TFTP Unauthorized : 0.0.0.0.0 in the phone status. I have checked the Trust List on the phone and the Public TFTP IP is listed. I see the requests coming in via debug phone-proxy tftp but I can't see that anything is actually being sent back to the phone. I would expect that since it has the correct CTL file and Trust the ASA is able to talk to the phone.

Any suggestions?

Joe

Re: ASA Phone Proxy

jubetz — Thu, 02 Dec 2010 20:55:05 GMT

Hey Joe,

Try clearing out the CTL file on that phone. Are you also seeing CTL update failed messages on the phone?

-jb

Re: ASA Phone Proxy

joeharb — Thu, 02 Dec 2010 21:02:00 GMT

Deleted CTL file and it installed it again, same messaged for TFTP timeout and Unauthroized. I recieve no messages that ctl file failed only that it can't find the .xml file.

Any suggestions?

Joe

Re: ASA Phone Proxy

jubetz — Thu, 02 Dec 2010 21:07:49 GMT

Would you be able to post the ASA phone-proxy debugs here? Turn on "debug phone-proxy" and then reboot the phone.

-jb

Re: ASA Phone Proxy

joeharb — Thu, 02 Dec 2010 21:29:00 GMT

See attachment, I have to edit the IP's please see legend @ top of txt file.

Thanks,

Joe

Re: ASA Phone Proxy

reni.popara — Thu, 02 Dec 2010 22:28:57 GMT

Hi,

What ASA version do you have?

I was working on this last whole week and i was crazy .

Did you define a inside and outside IPs?

My sample:

media-termination group_name

address PUBLIC_IP interface outside

address PRIVATE_IP interface inside

phone-proxy asdm_phone-proxy

media-termination group_name tftp-server address CUCM interface inside

tls-proxy outside_prxy cipc

security-mode authenticated ctl-file asdm_CTL_File

If you setup everything good with CTL that should be ok.

Re: ASA Phone Proxy

jubetz — Fri, 03 Dec 2010 13:24:45 GMT

Hi Joe,

I don't think your ouside PAT configuration is working. The CTL file is successfully downloaded, but that's because the ASA incercepts that TFTP request and responds with it's own CTL file - there is no possibility for asymmetric routing.

The second step is the config file download. The ASA has to strip off the .sgn extension in the request and then turn around and ask CUCM for the file. I think CUCM is still seeing the global IP address of the phone based on the behavior in the debugs. I beleive the TFTP unauthorized messages on your phone are seen because these responses from CUCM (made by the ASA) are going out another NAT/PAT device and arriving at the phone. Since this TFTP response's source IP address is different than what is in the CTL file for TFTP - the phone will not accept it.

Check the output of show xlate to see if you have PAT xlates for your phone's global IP address. Run a packet tracer to make sure you're hitting the correct source NAT rule.

-jb

Re: ASA Phone Proxy

joeharb — Fri, 03 Dec 2010 15:03:19 GMT

I kind of suspected this to be the issue as well, but I am not for sure how to fix it. As of now I have the following:

global (inside) 55 interface
nat (outside) 55 0.0.0.0 0.0.0.0 outside

I see the request to CCM TFTP coming from the inside address of the ASA. If I look @ the capture of the outside interface I see packets exchanged between both the phone phone and the external tftp ip. The normal default route that the callmanager traffic would take to the internet isn't through this asa, so I would expect that I would have pat on the inside, is this not correct? I am going to try to get a laptop on the same network as the phone to see if I can sniff the return traffic from the the phones perspective. Would I have to do a route map inside to force the traffic back out the ASA?

Thanks,

Joe

Re: ASA Phone Proxy

joeharb — Fri, 03 Dec 2010 17:13:58 GMT

Ok, I have not gotten alittle further, the tftp requests are going through but it appears the phone is failing on the load with a Load Authentication Failed. We use Berbee for paging and our Authentication URL is set to the Berbee server. Can I edit this specific phone to sue the publisher for authentication? I also and have to edit some acl's to allow the traffic from the ASA to the callmanger, so I have a few questions:

1. Will the phone register with its public address, or the ASA private address?

2. What ports/source and destination will will need to opened up from the ASA to CallManager?

Thanks for all the help thus far, we are getting closer.

Joe