Showing results for 
Search instead for 
Did you mean: 
Steve Davis

Configuring SSL VPN Phones using certificates with ASA and CUCME (Call Manager Express)

                   I just finished configuring remote SSL VPN phones using a 7945G. I have an ASA 5510 as the firewall and 2800 Series router running Call Manager Express 8.6. I followed the following guide at the below link almost line for line (obviously custom tailoring the config for my IP's and environment) to get this initially working.

This config works with utilizing SSL VPN phones with username and password authentication and works great. Keep in mind that after creating the CNF file on CME after the vpn group and vpn profile have added in the steps above, that one has to connect the phone locally in order to get the config file from CME, otherwise the VPN options on the phone will be grayed out.  (As a side note, I was configuring this remotely so I created a site to site VPN between mine and the main location, added option 150 to my local DHCP server giving the TFTP Server of the main site hosting CME, the site to site VPN allowed the phone to get the CNF file without technically being local)

Also make sure you have the following licensing installed on your ASA

*ASA Premium or AnyConnect Essentials license

*AnyConnect VPN Phone license

As for certificates, Cisco only had documentation for doing this with full Call Manager, not the express version.  I was able to get going using the MIC (Cisco's manufacturer certificate which is preinstalled on the Cisco phones).  Also keep in mind that this is considered less secure than LSC's, Cisco's recommended certificates.  The below document lines out how to set this up with full Call Manager.

In order to get SSL VPN to work with existing Cisco certs, the only changes I had to make to the top link SSL VPN configuration guide are as follows:

**On CME***

vpn-profile 1
  authen-method none
  password-persistent enable
  host-id-check disable

***On ASA***
tunnel-group SSLVPN_tunnel webvpn-attributes

authentication certificate

For those that want to use the more secure certificates, on the CME you have to configure CTL-CLIENT and CAPF-SERVER, configurations are found in the administration guide found below.  I haven't been able to successfully download the LSC from CME to the phone, but figured I would put this out there to help consolidate the information I put together from various sources.

Recognize Your Peers
Content for Community-Ad