Phone Proxy is a superset of TLS proxy where not only signaling but also media is secured for communication.It supports a Cisco UCM cluster in mixed mode or nonsecure mode.Configuration that i will show here will have UCM cluster in non-secure mode.TLS/SRTP will be terminated on ASA proxy server and TCP/RTP will be communicated between ASA and CUCM.You must have atleast ASA Code 8.0(4) although ASA 8.2 release is recommended as it supports MTA for each interface.Here,i will assume that ASA is already configured with basic inside and outside interfaces.

Cisco Unified Presence Server

Restrictions and Guidelines:-

  • The phone proxy is not supported in multiple context mode
  • The phone proxy is not supported when ASA is running in transparent mode.It must be running in Routed mode
  • Base License includes 2 UC Proxy Licenses
  • IP Phones registering to UCM Servers(including backup server) will require 2 UC Proxy licenses on ASA
  • An LSC must be installed on 7940/7960 IP phones because they do not come pre installed with a MIC

Network OverView:-

Inside Network         :
TFTP/CUCM             :
ASA Inside Interface    :
ASA Outside Interface   :
MTP Interface         :
CUCM(external)        :
HTTP Proxy Server     :

Configuration Steps :-

1. Configuring NAT for the CUCM/TFTP Server (optional):

Allow External access to TFTP services and map CUCM/TFTP to externally accessible ip address.

access-list pp extended permit udp any host eq 69
access-group pp in interface outside

2. Create keys and trustpoint in ASA configuration :

Create trustpoint for CUCM in ASA config and generate a certificate in the CTL file for phone to trust CUCM

a. Generate the keypair

crypto key generate rsa label cucmtftp_kp modulus 1024

b.  Create the trustpoint and associate it with the keypair

crypto ca trustpoint cucm_tftp_server_tp
enroll self
keypair cucmtftp_kp modulus

c.  Enroll the trustpoint

crypto ca enroll cucm_tftp_server_tp

3. Create ASA CTL file :

The CTL file lists what devices the phone can establish trust with (eg CUCM)

a. Create the CTL file instance:

ctl-file asactl

b. Create the record-entry for the CUCM/TFTP server

ctl-file asactl
record-entry cucm-tftp trustpoint cucm_tftp_server_tp
no shut

4. Create a TLS Proxy instance :

TLS Proxy instance is used to establish trust between the Phone and the ASA’s Phone Proxy functions

a. Create the TLS Proxy instance:

tls-proxy asatlsp

b. Create the server trustpoint and reference it to be internally created trustpoint when the CTL file is created(in Step 3):

tls-proxy asatlsp
server trust-point _internal_PP_asactl

5.  Create a Phone proxy instance :

Create a Phone Proxy Instance to specify phone proxy policy and settings in following steps:

a. Create the phone-proxy instance:

phone-proxy asa_phone_proxy

b. Configure the TFTP server using the real internal address not the Public address:

tftp-server address interface inside

c. Specify single dedicated media-termination address:

Reference the tls-proxy instance created in step 4, and the ctl-file instance created in step 3

media-termination address
tls-proxy asatlsp
ctl-file asactl

d.(Optional) Configure the timeout for the secure-phone entries:

timeout secure-phones

e.(Optional) Enable service-settings (garp,pc port, voice vlan etc) on the phone:

no disable service-settings

f.(Optional)Configure an HTTP proxy for services:

You must provision an HTTP proxy server for Corporate Directory or Web services on phone to work.

proxy-server address interface outside

g.(Optional)Configure Cisco IP Communicator (CIPC) softphones to operate in authenticated mode:

cipc security-mode authenticated

Overall Configuration of Step:5 should look like :

phone-proxy asa_phone_proxy
tftp-server address interface inside
media-termination address
tls-proxy asatlsp
ctl-file asactl
cipc security-mode authenticated
timeout secure-phones
no disable service-settings
proxy-server address interface outside

6. Define the policies :

Define policies to enable phone proxy for SIP and Skinny inspection

a.Configure the class of traffic to be inspect, one for secure SCCP traffic, one for secure SIP traffic:

class-map sec_sccp
match port tcp eq 2443
class-map sec_sip
match port tcp eq 5061

b. Configure the policy-map and attach the action to the class of traffic:

policy-map voice_policy
class sec_sccp
inspect skinny phone-proxy asa_phone_proxy
class sec_sip
inspect sip phone-proxy asa_phone_proxy

c.Enable the Service policy on the outside interface:

service-policy voice_policy interface outside

7. Import CUCM Certificates :

Finally, Import CUCM Certs i.e MIC Issuer Cert or CAPF for LSC provisioning.

Depending on your deployment, you would need to import the Cisco MIC Issuer certificate or the CAPF function for LSC certificates

Import the following 3 certificates which are stored on the Cisco UCM. These certificates are required by the security appliance for the phone proxy.


Configuration would look like :

crypto ca trustpoint CAP-RTP-001_trustpoint
enrollment terminal
crypto ca authenticate CAP-RTP-001_trustpoint

crypto ca trustpoint CAP-RTP-002_trustpoint
enrollment terminal
crypto ca authenticate CAP-RTP-002_trustpoint

crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint
enrollment terminal
crypto ca authenticate Cisco_Manufacturing_CA_trustpoint

If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM

crypto ca trustpoint CAPF_trustpoint
enrollment terminal
crypto ca authenticate CAPF _trustpoint


Debugging and Verification :

Following commands might be useful

Debug Commands :

debug phone-proxy
debug phone-proxy tftp
debug phone-proxy media
debug phone-proxy signaling

Show Commands :-

show phone-proxy secure-phones
show phone-proxy signaling-sessions
show phone-proxy media-sessions
show tls-proxy session


Tags: , , , , ,