Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Configuring SSL VPN Phones using certificates with ASA and CUCME (Call Manager Express)

Steve Davis
Level 1
Level 1

‎03-20-2013 01:06 PM - edited ‎03-16-2019 04:22 PM

                   I just finished configuring remote SSL VPN phones using a 7945G. I have an ASA 5510 as the firewall and 2800 Series router running Call Manager Express 8.6. I followed the following guide at the below link almost line for line (obviously custom tailoring the config for my IP's and environment) to get this initially working.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevpn.html

This config works with utilizing SSL VPN phones with username and password authentication and works great. Keep in mind that after creating the CNF file on CME after the vpn group and vpn profile have added in the steps above, that one has to connect the phone locally in order to get the config file from CME, otherwise the VPN options on the phone will be grayed out.  (As a side note, I was configuring this remotely so I created a site to site VPN between mine and the main location, added option 150 to my local DHCP server giving the TFTP Server of the main site hosting CME, the site to site VPN allowed the phone to get the CNF file without technically being local)

Also make sure you have the following licensing installed on your ASA

*ASA Premium or AnyConnect Essentials license

*AnyConnect VPN Phone license

As for certificates, Cisco only had documentation for doing this with full Call Manager, not the express version.  I was able to get going using the MIC (Cisco's manufacturer certificate which is preinstalled on the Cisco phones).  Also keep in mind that this is considered less secure than LSC's, Cisco's recommended certificates.  The below document lines out how to set this up with full Call Manager.

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080bef910.shtml

In order to get SSL VPN to work with existing Cisco certs, the only changes I had to make to the top link SSL VPN configuration guide are as follows:

**On CME***

vpn-profile 1
  authen-method none
  password-persistent enable
  host-id-check disable

***On ASA***
tunnel-group SSLVPN_tunnel webvpn-attributes

authentication certificate

For those that want to use the more secure certificates, on the CME you have to configure CTL-CLIENT and CAPF-SERVER, configurations are found in the administration guide found below.  I haven't been able to successfully download the LSC from CME to the phone, but figured I would put this out there to help consolidate the information I put together from various sources.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmeadm.html

1 person had this problem
Labels:
Who Me Too'd this topic