03-16-2012 11:05 AM - edited 03-11-2019 03:43 PM
I am currently experimenting with getting the phone proxy feature to work on our ASA firewalls using these documents..
https://supportforums.cisco.com/docs/DOC-1364
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/unified_comm_phoneproxy.html
These all deal with a single server/tftp setup…
I have been trying to apply this to our cluster consisting of 4 call managers
10.15.1.1 … Publisher and also the tftp ( our current homeworkers using a vpn tunnel setup, point back to this address ).
10.15.1.2 … Sub ( tftp disabled )
10.73.1.1 … Sub ( tftp disabled )
10.73.1.2 … Sub ( tftp disabled )
Upon registration, our phones eventually register against one of the Subs based on the CM group configured in CUCM.
ASA 8.2(1)
ASDM 6.4
Our ASA has the default 2x Phone Proxy Sessions licenses installed.. ( We know that we will have to purchase more licenses once we proved that this work how we want it to. ! )
Can anyone with a similar Call Manager cluster setup please clarify the following for me please..
1/ As we only have the one tftp server in our cluster, do we still only require 2x public facing addresses ? .. One for the tftp address ( which gets translated to 10.15.1.1 ) and one for the MTA
2/ Ive currently only got the one phoneproxy_trustpoint configured which is associated against the Publisher in the CTL file section of ASDM ( of type… tftp-cucm )
Do I need to create further phoneproxy_trustpoints for the other Call Managers and associate each of them against a new CTL file ( type .. cucm ).
3/ For the moment, I am only testing with a 7965 phone which has a MIC installed.. I have downloaded the following certificates off the PUBLISHER and installed on the ASA and created trustpoints.
Cisco_Manufacturing_CA.pem
CAP-RTP-001.pem
CAP-RTP-002.pem
Will I need to download the equalivalent certificates off the Subs and install them on the ASA also ?.
At present, I am seeing the tftp requests from a remote phone hitting our firewall on the external tftp address… It is getting translated to the internal address, 10.15.223.10 but nothing else is happening after..
The phone display is showing as trying to register but looking in Status Message it says..
No Trust List Installed
TFTP Time out SEPxxxxxxxx.cnf.xml
As the CTL is not installing onto the remote phone, do I need to revisit my CTL file and trustpoints created on the ASA ?
Any advice would be much appreciated.
Thanks.
Jon.
03-16-2012 10:03 PM
Hello,
I am not an expert ( yet ) on the phone proxy side but I do have some experience on this:
So hope this helps:
1-
The Media Termination Address is an address that the firewall uses to perform the phone proxy function. It is a special address that is used to terminate secure media streams to and from remote phones. This address needs to be a unique, publicly routeable address on the outside of the firewall, and must adhere to the following guidelines:
So your answer is YES, got to be a different one
2- I would say yes, if not the communication between them will not be valid as the authentication will not be valid.
3-Now regarding the registration issues the following will help you:
https://supportforums.cisco.com/docs/DOC-1226#Phone_registration_problems
Please read that and if you have any question just let us know
Julio
Security Engineer
03-17-2012 08:38 AM
Hi Julio..
Thank you for your reply.. I had already read through the sample documents you have provided prior to posting and although they mention other CMs in a cluster briefly, I felt they did not clear up my first two queries..
In regards to your answers to my questions..
1/ Sorry, I probably wasnt being very clear.. I am aware that I require 2 different public facing IPs for the tftp and MTA.. My query was whether I required further public IPs for the other CMs in the cluster even though they do not have the tftp service enabled.
Upon sucessful tftp download of its config file from the PUB, our phones will primarily register against one of the SUBs. So will the phone know how to to reach the other SUBs even though they are not defined on the ASA, or is that where the trustpoints to the other CMs in the cluster come into play ?..
I would be interest to know how this has been set up in your CUCM cluster environment ?
Regards
Jon.
06-04-2012 01:45 AM
Hi,
In Your blog, i am checking u are very close to your solution . Your Version is Ok
ASA 8.2(1)
ASDM 6.4
Now, You Will need to download the equalivalent certificates off the Subs and install them on the ASA also
callmanager.pem ,& capf.pem in your asa .
No Trust List Installed
TFTP Time out SEPxxxxxxxx.cnf.xml , reason may be these certificates.
Do the same . & send ur configuration details & i will reply you with better output.)
I have implemented the same . (ASA UC PROXY SETUP ).Over the internet .
Thanks & regards
Vishal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide