Cisco Systems ASA 5585-X Manual De Usuario

object network obj-10.1.1.2-01

host 10.1.1.2

nat (inside,outside) static 192.0.2.140

crypto ca import cuma_proxy pkcs12 sample_passphrase

<cut-paste base 64 encoded pkcs12 here>

quit

! for CUMA server’s self-signed certificate

crypto ca trustpoint cuma_server

enrollment terminal

crypto ca authenticate cuma_server

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

MIIDRTCCAu+gAwIBAgIQKVcqP/KW74VP0NZzL+JbRTANBgkqhkiG9w0BAQUFADCB

[ certificate data omitted ]

/7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ==

quit

tls-proxy cuma_proxy

server trust-point cuma_proxy

no server authenticate-client

client cipher-suite aes128-sha1 aes256-sha1

class-map cuma_proxy

match port tcp eq 5443

policy-map global_policy

class cuma_proxy

inspect mmp tls-proxy cuma_proxy

service-policy global_policy global

As shown in 

 (scenario 2), the ASA functions as the TLS proxy only and works with an 

existing firewall. The ASA and the corporate firewall are performing NAT. The corporate firewall will 
not be able to predict which client from the Internet needs to connect to the corporate Cisco UMA server. 
Therefore, to support this deployment, you can take the following actions: 

Set up a NAT rule for inbound traffic that translates the destination IP address 192.0.2.41 to 
172.16.27.41. 

Set up an interface PAT rule for inbound traffic translating the source IP address of every packet so 
that the corporate firewall does not need to open up a wildcard pinhole. The Cisco UMA server 
receives packets with the source IP address 192.0.2.183.

hostname(config)# object network obj-0.0.0.0-01

hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0

hostname(config-network-object)# nat (outside,inside) dynamic 192.0.2.183