01-08-2010 08:58 AM - edited 03-08-2019 06:31 PM
[TOC:faq]
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
8.0.x
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/unified_comm.html#wp1096839
8.2.x
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/unified_comm_cuma.html
The Cisco CUMA proxy allows Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage clients and servers. The ASA in this solution delivers inspection for the MMP (formerly called OLWP) protocol, the proprietary protocol between Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage.
The following are required before the phone proxy feature will work correctly.
cuma-asa#show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 5.2(4)
....
cuma_server----(inside)ASA(outside)---Router----Internet Cloud
Cuma_server internal ip address---192.168.1.10
Cuma_server translated address - 100.100.100.10
asa inside interface ip - 192.168.1.1
ssl port - 5443
1-1 NAT
cuma-asa(config)#static (inside,outside) 100.100.100.10 192.168.1.10
(or)
Static PAT
cuma-asa(config)#static (inside,outside) tcp 100.100.100.10 5443 192.168.1.10 5443
cuma-asa(config)#access-list outside-acl permit tcp any host 100.100.100.10 eq 5443
cuma-asa(config)#access-group outside-acl in int outside
This step is needed to install Verisign or Geotrust certificate on the ASA
a. Generate a key-pair - This following procedure needs to be done on the ASA
cuma-asa(config)# crypto key gen rsa label asa-veri mod 1024
INFO: The name for the keys will be: asa-veri
Keypair generation process begin. Please wait..
b. Create a trustpoint with all the information to generate the CSR. The subject name here should be the exact same one that the mobile phones will be using to access CUMA. If the phones will go to https://cuma1.cisco.com:5443 then use the CN=cuma1.cisco.com
cuma-asa(config)# crypto ca trustpoint asa-to-mobile
cuma-asa(config-ca-trustpoint)# subject-name CN=cuma1.cisco.com,OU=Voice,O=Cisco,C=<2 digit country code>
cuma-asa(config-ca-trustpoint)# keypair asa-veri
cuma-asa(config-ca-trustpoint)# fqdn none
cuma-asa(config-ca-trustpoint)# enrollment terminal
c. Enroll the trustpoint
cuma-asa(config-ca-trustpoint)# crypto ca enroll asa-to-mobile
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: y
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=cuma1.cisco.com,OU=Voice,O=Cisco
% The fully-qualified domain name will not be included in the certificate
% Include the device serial number in the subject name? [yes/no]: n
Display Certificate Request to terminal? [yes/no]: y
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
Certificate data omitted
-----END CERTIFICATE REQUEST-----
d. The above CSR needs to be sent off to Verisign or Geotrust. Once you get the signed certificate, import the signed cert:
Remember - IMPORT the ID CERT
- AUTHENTICATE the CA CERT
cuma-asa(config)# crypto ca import asa-to-mobile cert
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: y
% The fully-qualified domain name in the certificate will be: cuma1.cisco.com
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
e. Now authenticate the trustpoint with the certificate that issued you your ID cert.
It is critical that you have the entire certificate chain in the ASA's truststore so that the mobile device can properly validate the certificates during the SSL handshake.
cuma-asa(config)# crypto ca authenticate asa-to-mobile
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
** Paste the contents of the cert **
f. If you authenticated the intermediate cert in the above step, then you must add your root certificate into the truststore into a separate trustpoint. Each trust point can have only one ID cert and one CA cert at maximum
cuma-asa(config)# crypto ca trust asa-to-mobile-root
cuma-asa(config-ca-trustpoint)# enrollment terminal
cuma-asa(config-ca-trustpoint)# crypto ca authenticate asa-to-mobile-root
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
** Paste the contents of the root cert. **
This will be used for the cummunication between the ASA and CUMA
a. Creat a self-signed cert on the CUMA server
The following needs to be done on the CUMA server
1 Sign in to the Cisco Unified Mobility Advantage Admin portal. 2 Select the [+] beside Security Context Management. 3 Select Security Contexts. 4 Select Add Context. 5 Enter information: Do you want to create/upload a new certificate? create Context Name "cuma" Description "cuma" Trust Policy "Trusted Certificates" Client Authentication Policy "none" Client Password "changeme" Server Name cuma.ciscodom.com Department Name "vsec" Company Name "cisco" City "san jose" State "ca" Country "US" b. Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage The following needs to be done on the CUMA server
1 Select the [+] beside Security Context Management
2 Select Security Contexts.
3 Select Manage Context beside the security context that holds the certificate to download.
4 Select Download Certificate.
If the certificate is a chain (has associated root or intermediate certificates), only the first certificate in the chain is downloaded. This is sufficient for self-signed certificates.
Step 5 Save the file.
C. Adding a self-signed certificate from Cisco Unified Mobility Advantage onto the ASA.
The following needs to be done on the ASA
1. Open the self-signed certificate from Cisco Unified Mobility Advantage in WordPad (not Notepad.)
2. Import the certificate into the Cisco Adaptive Security Appliance trust store:
cuma-asa(config)# crypto ca trustpoint cuma-server-id-cert
cuma-asa(config-ca-trustpoint)# enrollment terminal
cuma-asa(config-ca-trustpoint)# crypto ca authenticate cuma-server-id-cert
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
----BEGIN CERTIFICATE----
** paste the contents from wordpad **
----END CERTIFICATE----
We recommend that you configure Cisco Unified Mobility Advantage to require a certificate from the Cisco Adaptive Security Appliance. Use this procedure to provide the required self-signed certificate. The following needs to be done on the ASA: a. generate a new key pair cuma-asa(config)# crypto key generate rsa label asa-id-key mod 1024 INFO: The name for the keys will be: asa-id-key Keypair generation process begin. Please wait... b. add a new trustpoint cuma-asa(config)# crypto ca trustpoint asa-self-signed-id-cert cuma-asa(config-ca-trustpoint)# keypair asa-id-key cuma-asa(config-ca-trustpoint)# enrollment self c. enroll the trustpoint cuma-asa(config-ca-trustpoint)# crypto ca enroll asa-self-signed-id-cert % The fully-qualified domain name in the certificate will be: cuma-asa.cisco.com % Include the device serial number in the subject name? [yes/no]: n Generate Self-Signed Certificate? [yes/no]: y d. export the certificate to a text file cuma-asa(config)# crypto ca export asa-self-signed-id-cert identity-certificate The PEM encoded identity certificate follows: -----BEGIN CERTIFICATE----- Certificate data omitted -----END CERTIFICATE----- e. copy the above output to a text file and add it to the CUMA server trust store using the following procedure: 1. Select the [+] beside Security Context Management. 2. Select Security Contexts. 3. Select Manage Context beside the Security Context into which you will import the signed certificate. 4. Select Import in the Trusted Certificates bar. 5. Paste the certificate text. 6. Name the certificate. 7. Select Import.
ASA to mobile phone communication is on the outside and the ASA to CUMA communication is on the inside.
In the communication between ASA to mobile clients - The ASA will act as the server
In the communication between ASA to CUMA - The ASA will act as the client
cuma-asa(config)# tls-proxy cuma_proxy
cuma-asa(config-tlsp)#server trust-point asa-to-mobile
cuma-asa(config-tlsp)#client trust-point asa-self-signed-id-cert
cuma-asa(config-tlsp)#no server authenticate-client
cuma-asa(config-tlsp)#client cipher-suite aes128-sha1 aes256-sha1
cuma-asa(config)# class-map cuma-proxy
cuma-asa(config-cmap)# match port tcp eq 5443
cuma-asa(config)# policy-map global_policy
cuma-asa(config-pmap)# class cuma-proxy
cuma-asa(config-pmap-c)# inspect mmp tls-proxy cuma-proxy
cuma-asa(config-pmap-c)# exit
cuma-asa(config)# service-policy global_policy global
The following commands will send debugs and logs to the syslog server.
debugs:
cuma-asa(config)#debug inspect tls-proxy all
cuma-asa(config)#debug mmp
logs:
cuma-asa(config)#logging enable
cuma-asa(config)#logging timestamp
cuma-asa(config)#logging list loglist message 711001
cuma-asa(config)#logging list loglist message 725001-725014
cuma-asa(config)#logging list loglist message 717001-717038
cuma-asa(config)#logging buffer-size 1000000
cuma-asa(config)#logging buffered loglist
cuma-asa(config)#logging host inside 192.168.1.20
cuma-asa(config)#logging trap loglist
The command below sends the debugs to the syslog server if configured
cuma-asa(config)#logging debug-trace
sh cry ca cert
sh cry ca trustpoint
sh run tls-proxy
sh run policy-map
sh run static
I see an issue with this configuration. I applied it to a working ASA and CUCM application, and have had nothing but failures. I found a document on Cisco, http://www.cisco.com/en/US/docs/voice_ip_comm/cuma/7_1/XML/new_installs/cuma71_new_install_config_chapter2.html#concept_CUM_6512943915981711726 and your setup above does not cover how the CUMA server communicates back to the client.
I have not been able to test this out yet, Cisco Tac totally f'd up the certificates on the ASA trying to get it working, and now I have to get the signed cert reissued. One problem I ran into instantly is the above breaks the EZVPN locations, so I first have to figure out how to exempt those locations from the above NAT.
Now question, is the above NAT setup correct? Is this how CUMA communicates back to the client? Reason I ask, I ran a capture and I see packets from the client to the server, and I see server responses, but the client eventually times out server not found, or unavailable.
So far Cisco TAC has been clueless on how Cuma works, one team passes it to the other team and back and forth. Does ANYONE know how the hell these servers work with the ASA and clients?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: