Cisco ASA Firewall Configuration for Mobility Proxy
From DocWiki
Contents |
Introduction
This page provides information on how the Cisco ASA 5500 Series Adaptive Security Appliance is configured as Mobility Advantage Proxy during Unified Communications solution testing.
The configuration information is based primarily on system testing performed on test beds having Cisco ASA configured during Cisco Unified Communications system releases.
The page does not contain detailed step-by-step procedures; for detailed information about installing, configuring, and administering the Cisco ASA 5500 Series Adaptive Security Appliance, refer to the pointers in the Related Documentation section.
Design
For information on design considerations and guidelines for deploying the Cisco ASA 5500 Series Adaptive Security Appliance in a UC environment, see the Voice Security chapter of the Cisco Unified Communications Manager 8.x Solution Reference Network Design (SRND).
For information on specific deployments and sites where Cisco ASA 5500 Series Adaptive Security Appliance solution testing was performed, see the Tested Deployments and Site Models for IPT Enterprise.
Topologies
This section provides information on where the Cisco ASA 5500 Series Adaptive Security Appliance is located relative to other components when it is used as a Mobility Proxy during Cisco Unified Communications solution testing.
The purpose of the ASA Mobility Advantage Proxy is to provide secure access to the enterprise network for Cisco Unified Mobility Advantage clients. It acts as a TLS proxy and includes an inspection engine to validate the Cisco UMA Mobile Multiplexing Protocol (MMP).
There are two supported deployment modes depending on whether the ASA Mobility Advantage Proxy resides on the main Internet firewall or on an ASA dedicated to the Mobility Advantage Proxy. In the latter case the ASA Mobility Advantage Proxy is located in the DMZ.
Figure 1 provides a schematic overview of the topology where the ASA Mobility Advantage Proxy resides on the main Internet firewall.
Figure 2 provides a schematic overview of the topology where the ASA Mobility Advantage Proxy resides in the DMZ.
Configuration Details
This section provides the high-level tasks and related information for configuring the Cisco ASA 5500 Series Adaptive Security Appliance as a Mobility Advantage Proxy.
The following table provide this information:
- Configuration Tasks: List of high-level configuration tasks
- Solution Test Specifics: Solution test variations from procedures and settings documented in the product documentation.
- More Information: Links to product documentation for detailed configuration information related to the high-level tasks.
Table 1: Cisco ASA 5500 Series Adaptive Security Appliance Configuration as Mobility Advantage Proxy
| Configuration Tasks | Solution Test Specifics | More Information |
| 1. Physical installation and basic system configuration. | N/A |
Cisco ASA 5500 Series Install and Upgrade Guides |
| 2. Licensing. | N/A | |
| 3. NAT configuration | N/A | |
| 4. Mobility Advantage Proxy configuration | N/A | Configuring Cisco Mobility Advantage |
Configuration Data
object network CUMA-CLIENT-CONNECT host <CUMA local IP> nat (inside,outside) static <CUMA global IP> service tcp 5443 6665 ! object network CUMA-CLIENT-DOWNLOAD host <CUMA local IP> nat (inside,outside) static <CUMA global IP> service tcp 9080 6666 ! object network CLIENTS subnet 0.0.0.0 0.0.0.0 nat (outside,inside) dynamic <clients' local IP address>
The CLIENTS NAT rule is used to translate all client addresses to a local address. This is necessary in the off-path deployment; packets sent to this address must be routed back to the CUMA Proxy.
access-list OUTSIDE-ACL extended permit tcp any host <CUMA local IP> eq 5443 access-list OUTSIDE-ACL extended permit tcp any host <CUMA local IP> eq 9080 ! access-list MMP-ACL extended permit tcp any host <CUMA local IP> eq 5443 ! access-group OUTSIDE-ACL in interface outside ! crypto ca trustpoint cuma-server-abi enrollment terminal crl configure crypto ca trustpoint gbcuma1-self enrollment self keypair gbcuma1-self-key crl configure crypto ca trustpoint gbcuma1.verisign.trustpoint enrollment terminal fqdn gbcuma1.cisco.com subject-name CN=gbcuma1.cisco.com, OU=IPCBU, O=Cisco Systems, C=US, St=California, L=San Jose keypair gbcuma1.verisign.key crl configure crypto ca trustpoint verisign.trustpoint enrollment terminal fqdn gbcuma1.cisco.com subject-name CN=gbcuma1.cisco.com, OU=IPCBU, O=Cisco Systems, C=US, St=California, L=San Jose keypair gbcuma1.verisign.key no client-types crl configure crypto ca trustpoint tp-link-to-cuma enrollment terminal crl configure crypto ca certificate chain gbcuma1-self <certificate data omitted> crypto ca certificate chain gbcuma1.verisign.trustpoint <certificate data omitted> crypto ca certificate chain verisign.trustpoint <certificate data omitted> crypto ca certificate chain tp-link-to-cuma <certificate data omitted> ! tls-proxy CUMA-PROXY server trust-point verisign.trustpoint no server authenticate-client client trust-point gbcuma1-self client cipher-suite aes128-sha1 aes256-sha1 ! class-map CUMA-PROXY match access-list MMP-ACL ! policy-map global-policy class CUMA-PROXY inspect mmp tls-proxy CUMA-PROXY ! service-policy global-policy global
Related Documentation
For related information on Cisco ASA 5500 Series Adaptive Security Appliance installation and configuration, see:
- Cisco ASA 5500 Series Install and Upgrade Guides
- Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
- Cisco ASA 5500 Series Configuration Guide using ASDM, 8.3
For design guidelines, see:
- Voice Security chapter of the Cisco Unified Communications Manager 8.x Solution Reference Network Design (SRND).
For IP telephony configuration articles and test results, see:
