Cisco Unified Presence, Release 7.x -- Sample Cisco Adaptive Security Appliance Configuration

From DocWiki

Jump to: navigation, search

Main page: Cisco Unified Presence, Release 7.x

Previous Topic


Sample PAT Commands and Access Lists

This section provides a sample configuration for a Cisco Unified Presence server that is federating with a foreign OCS enterprise deployment. There are two additional intercluster Cisco Unified Presence servers in the local enterprise deployment.

The following values are used in this sample configuration:

  • Public Cisco Unified Presence IP Address = 10.10.10.10
  • Private Routing Cisco Unified Presence IP Address = 1.1.1.1
  • Private Second Cisco Unified Presence IP Address = 2.2.2.2
  • Private Third Cisco Unified Presence IP Address = 3.3.3.3
  • Peer Auth Listener Port on Cisco Unified Presence = 5062
  • Netmask = 255.255.255.255
  • Foreign Domain = abc.com
  • Microsoft OCS External Interface = 20.20.20.20


These PAT commands are defined for the (routing) Cisco Unified Presence server:

static (inside,outside) tcp 10.10.10.10 5061 1.1.1.1 5062 netmask 255.255.255.255

static (inside,outside) udp 10.10.10.10 5070 1.1.1.1 5070 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.10 5070 1.1.1.1 5070 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.10 5060 1.1.1.1 5060 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.10 5062 1.1.1.1 5061 netmask 255.255.255.255


These PAT commands are defined for the two additional intercluster Cisco Unified Presence servers in the enterprise deployment:

static (inside,outside) udp 10.10.10.10 45070 2.2.2.2 5070 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.10 45070 2.2.2.2 5070 netmask 255.255.255.255

static (inside,outside) udp 10.10.10.10 55070 3.3.3.3 5070 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.10 55070 3.3.3.3 5070 netmask 255.255.255.255

static (inside,outside) udp 10.10.10.10 40000 2.2.2.2 5062 netmask 255.255.255.255

static (inside,outside) tcp 10.10.10.10 50000 3.3.3.3 5062 netmask 255.255.255.255


The corresponding access lists for this configuration are provided below. Note that for each foreign domain that you federate with, you must add access lists similar to these access lists for the domain abc.com.

access-list ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061

access-list ent_abc_to_cup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 5061

access-list ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061

access-list ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061

access-list ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 10.10.10.10 access-list ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 10.10.10.10


Associate each of your access lists with the a class map:

class-map ent_cup_to_abc

match access-list ent_cup_to_abc

class-map ent_abc_to_cup

match access-list ent_abc_to_cup

class-map ent_secondcup_to_abc

match access-list ent_secondcup_to_abc

class-map ent_thirdcup_to_abc

match access-list ent_thirdcup_to_abc

class-map ent_abc_to_secondcup

match access-list ent_abc_to_secondcup

class-map ent_abc_to_thirdcup

match access-list ent_abc_to_thirdcup


Update the global policy map for each class map you created. In this example, the TLS proxy instance for TLS connections initiated by Cisco Unified Presence is called "cup_to_foreign", and the TLS proxy instance for TLS connections initiated by a foreign domain is called "foreign_to_cup".

policy-map global_policy

class ent_cup_to_abc

inspect sip sip_inspect tls-proxy ent_cup_to_foreign


policy-map global_policy

class ent_abc_to_cup

inspect sip sip_inspect tls-proxy ent_foreign_to_cup


policy-map global_policy

class ent_secondcup_to_abc

inspect sip sip_inspect tls-proxy ent_cup_to_foreign


policy-map global_policy

class ent_thirdcup_to_abc

inspect sip sip_inspect tls-proxy ent_cup_to_foreign


policy-map global_policy

class ent_abc_to_secondcup

inspect sip sip_inspect tls-proxy ent_foreign_to_cup


policy-map global_policy

class ent_abc_to_thirdcup

inspect sip sip_inspect tls-proxy ent_foreign_to_cup


Related Topics

Rating: 0.0/5 (0 votes cast)

Personal tools