Cisco ASA Firewall Configuration for Mobility Proxy

From DocWiki

Jump to: navigation, search

Contents

Introduction

This page provides information on how the Cisco ASA 5500 Series Adaptive Security Appliance is configured as Mobility Advantage Proxy during Unified Communications solution testing.

The configuration information is based primarily on system testing performed on test beds having Cisco ASA configured during Cisco Unified Communications system releases.

The page does not contain detailed step-by-step procedures; for detailed information about installing, configuring, and administering the Cisco ASA 5500 Series Adaptive Security Appliance, refer to the pointers in the Related Documentation section.

Design

For information on design considerations and guidelines for deploying the Cisco ASA 5500 Series Adaptive Security Appliance in a UC environment, see the Voice Security chapter of the Cisco Unified Communications Manager 8.x Solution Reference Network Design (SRND).

For information on specific deployments and sites where Cisco ASA 5500 Series Adaptive Security Appliance solution testing was performed, see the Tested Deployments and Site Models for IPT Enterprise.

Topologies

This section provides information on where the Cisco ASA 5500 Series Adaptive Security Appliance is located relative to other components when it is used as a Mobility Proxy during Cisco Unified Communications solution testing.

The purpose of the ASA Mobility Advantage Proxy is to provide secure access to the enterprise network for Cisco Unified Mobility Advantage clients. It acts as a TLS proxy and includes an inspection engine to validate the Cisco UMA Mobile Multiplexing Protocol (MMP).

There are two supported deployment modes depending on whether the ASA Mobility Advantage Proxy resides on the main Internet firewall or on an ASA dedicated to the Mobility Advantage Proxy. In the latter case the ASA Mobility Advantage Proxy is located in the DMZ.

Figure 1 provides a schematic overview of the topology where the ASA Mobility Advantage Proxy resides on the main Internet firewall.

Asa-cuma-proxy-inline-deployment.jpg

Figure 2 provides a schematic overview of the topology where the ASA Mobility Advantage Proxy resides in the DMZ.

Asa-cuma-proxy-off-path-deployment.jpg

Configuration Details

This section provides the high-level tasks and related information for configuring the Cisco ASA 5500 Series Adaptive Security Appliance as a Mobility Advantage Proxy.

The following table provide this information:

  • Configuration Tasks: List of high-level configuration tasks
  • Solution Test Specifics: Solution test variations from procedures and settings documented in the product documentation.
  • More Information: Links to product documentation for detailed configuration information related to the high-level tasks.

Table 1: Cisco ASA 5500 Series Adaptive Security Appliance Configuration as Mobility Advantage Proxy

Configuration Tasks Solution Test Specifics More Information
1. Physical installation and basic system configuration. N/A

Cisco ASA 5500 Series Install and Upgrade Guides
Configuring Interfaces
Configuring Basic Settings
Information About High Availability

2. Licensing. N/A

Licensing for the Cisco Mobility Advantage Proxy Feature

3. NAT configuration N/A

Mobility Advantage Proxy Using NAT/PAT
Configuring NAT

4. Mobility Advantage Proxy configuration N/A Configuring Cisco Mobility Advantage

Configuration Data

object network CUMA-CLIENT-CONNECT
 host <CUMA local IP>
 nat (inside,outside) static <CUMA global IP> service tcp 5443 6665 
!
object network CUMA-CLIENT-DOWNLOAD
 host <CUMA local IP>
 nat (inside,outside) static <CUMA global IP> service tcp 9080 6666
!
object network CLIENTS
 subnet 0.0.0.0 0.0.0.0
 nat (outside,inside) dynamic <clients' local IP address>

The CLIENTS NAT rule is used to translate all client addresses to a local address. This is necessary in the off-path deployment; packets sent to this address must be routed back to the CUMA Proxy.

access-list OUTSIDE-ACL extended permit tcp any host <CUMA local IP> eq 5443 
access-list OUTSIDE-ACL extended permit tcp any host <CUMA local IP> eq 9080 
!
access-list MMP-ACL extended permit tcp any host <CUMA local IP> eq 5443
!
access-group OUTSIDE-ACL in interface outside
!
crypto ca trustpoint cuma-server-abi
 enrollment terminal
 crl configure
crypto ca trustpoint gbcuma1-self
 enrollment self
 keypair gbcuma1-self-key
 crl configure
crypto ca trustpoint gbcuma1.verisign.trustpoint
 enrollment terminal
 fqdn gbcuma1.cisco.com
 subject-name CN=gbcuma1.cisco.com, OU=IPCBU, O=Cisco Systems, C=US, St=California, L=San Jose
 keypair gbcuma1.verisign.key
 crl configure
crypto ca trustpoint verisign.trustpoint
 enrollment terminal
 fqdn gbcuma1.cisco.com
 subject-name CN=gbcuma1.cisco.com, OU=IPCBU, O=Cisco Systems, C=US, St=California, L=San Jose
 keypair gbcuma1.verisign.key
 no client-types
 crl configure
crypto ca trustpoint tp-link-to-cuma
 enrollment terminal
 crl configure
crypto ca certificate chain gbcuma1-self
 <certificate data omitted>
crypto ca certificate chain gbcuma1.verisign.trustpoint
 <certificate data omitted>
crypto ca certificate chain verisign.trustpoint
 <certificate data omitted>
crypto ca certificate chain tp-link-to-cuma
 <certificate data omitted>
!
tls-proxy CUMA-PROXY
 server trust-point verisign.trustpoint
 no server authenticate-client
 client trust-point gbcuma1-self
 client cipher-suite aes128-sha1 aes256-sha1
!
class-map CUMA-PROXY
 match access-list MMP-ACL
!
policy-map global-policy
 class CUMA-PROXY
  inspect mmp tls-proxy CUMA-PROXY 
!
service-policy global-policy global

Related Documentation

For related information on Cisco ASA 5500 Series Adaptive Security Appliance installation and configuration, see:

  1. Cisco ASA 5500 Series Install and Upgrade Guides
  2. Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
  3. Cisco ASA 5500 Series Configuration Guide using ASDM, 8.3

For design guidelines, see:

  1. Voice Security chapter of the Cisco Unified Communications Manager 8.x Solution Reference Network Design (SRND).

For IP telephony configuration articles and test results, see:

  1. IP Telephony Test Results
  2. IP Telephony System Configurations

Rating: 0.0/5 (0 votes cast)

Personal tools