Cisco Systems ASA 5585-X Manual De Usuario
16-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 Configuring the Cisco Phone Proxy
Prerequisites for the Phone Proxy
•
For IP phones behind a router or gateway, you must also meet this prerequisite. On the router or
gateway, add routes to the media termination address on the ASA interface that the IP phones
communicate with so that the phone can reach the media termination address.
gateway, add routes to the media termination address on the ASA interface that the IP phones
communicate with so that the phone can reach the media termination address.
Certificates from the Cisco UCM
Import the following certificates which are stored on the Cisco UCM. These certificates are required by
the ASA for the phone proxy.
the ASA for the phone proxy.
•
Cisco_Manufacturing_CA
•
CAP-RTP-001
•
CAP-RTP-002
•
CAPF certificate (Optional)
If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF
certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import
all of them to the ASA.
certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you must import
all of them to the ASA.
Note
You can configure LSC provisioning for additional end-user authentication. See the Cisco Unified
Communications Manager configuration guide for information.
Communications Manager configuration guide for information.
See
. For example, the CA Manufacturer
certificate is required by the phone proxy to validate the IP phone certificate.
DNS Lookup Prerequisites
•
If you have an fully qualified domain name (FQDN) configured for the Cisco UCM rather than an
IP address, you must configure and enable DNS lookup on the ASA. For information about the dns
domain-lookup command and how to use it to configure DNS lookup, see command reference.
IP address, you must configure and enable DNS lookup on the ASA. For information about the dns
domain-lookup command and how to use it to configure DNS lookup, see command reference.
•
After configuring the DNS lookup, make sure that the ASA can ping the Cisco UCM with the
configured FQDN.
configured FQDN.
•
You must configure DNS lookup when you have a CAPF service enabled and the Cisco UCM is not
running on the Publisher but the Publisher is configured with a FQDN instead of an IP address.
running on the Publisher but the Publisher is configured with a FQDN instead of an IP address.
Cisco Unified Communications Manager Prerequisites
•
The TFTP server must reside on the same interface as the Cisco UCM.
•
The Cisco UCM can be on a private network on the inside but you need to have a static mapping for
the Cisco UCM on the ASA to a public routable address.
the Cisco UCM on the ASA to a public routable address.
•
If NAT is required for Cisco UCM, it must be configured on the ASA, not on the existing firewall.
ACL Rules
If the phone proxy is deployed behind an existing firewall, access-list rules to permit signaling, TFTP
requests, and media traffic to the phone proxy must be configured.
requests, and media traffic to the phone proxy must be configured.