Hi Carlo , The TLS proxy

carlo.taddei1 · ‎10-02-2015

Hi, I would like to try to implement the following setup:

Server <------> CISCO ASA <----IPSec S2S tunnel----> IPSec Peer <----> Client

the Client is attempting to establish a TLS1.2 session to the Server.

Due to additional constrains, I cannot terminate the TLS session on the Server itself.

I've read in the cisco documentation that, under the "Unified Communication" tab section, it is possible to configure the ASA unit to act as a TLS proxy (the unit also allows for certificate selection and import).

My questions are:

1)can I use the TLS Proxy functionality for establishing TLS sessions also for different protocol types (i.e. Http), or will it only work for SIP (and voice related protocols) ?

2) can the ASA support TLS 1.2? Are there any limitations

3) can the ASA support mutual Authentication ? (that is, can the unit authenticate the clients according to their certificates) ?

4) under which ASA OS version / release I would be able to implement all the above listed points ?

In terms of ASA Platforms, I can use a 5510 or a 5512-X.

Thanks

rvarelac · ‎10-05-2015

Hi Carlo ,

The TLS proxy feature is only supported between Cisco Call manager and Cisco IP Phones for voice communications, so I don't think this feature might help you on this scenario.

The ASA supports TLS1.2 on code 9.3 and up and only on new generation firewalls.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/unified_comm_tlsproxy.html

If you can't terminate the session on the end server, you might need a proxy on your internal network to forward the queries.

Hope it helps

-Randy-

Cisco ASA Proxy TLS 1.2 mutual authentication