Cisco Systems ASA 5585-X Manual De Usuario
20-24
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 20 Configuring Cisco Intercompany Media Engine Proxy
Configuring Cisco Intercompany Media Engine Proxy
What to Do Next
Once you have created the TLS proxy, enable it for SIP inspection.
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
Enable the TLS proxy for SIP inspection and define policies for both entities that could initiate the
connection.
connection.
The example command lines in this task are based on a basic (in-line) deployment. See
for an illustration explaining the example command lines in this task.
Note
If you want to change any Cisco Intercompany Media Engine Proxy settings after you enable SIP
inspection, you must enter the no service-policy
inspection, you must enter the no service-policy
command, and then reconfigure the service policy as
described in this procedure. Removing and reconfiguring the service policy does not affect existing calls;
however, the first call traversing the Cisco Intercompany Media Engine Proxy will fail. Enter the clear
connection command and restart the ASA.
however, the first call traversing the Cisco Intercompany Media Engine Proxy will fail. Enter the clear
connection command and restart the ASA.
To enable SIP inspection for the Cisco Intercompany Media Engine Proxy, perform the following steps:
Step 6
hostname(config-tlsp)# server trust-point
proxy_trustpoint
Example:
hostname(config-tlsp)# server trust-point local-ent
For inbound connections, specifies the proxy
trustpoint certificate presented during TLS
handshake. The certificate must be owned by the
adaptive security appliance (identity certificate).
trustpoint certificate presented during TLS
handshake. The certificate must be owned by the
adaptive security appliance (identity certificate).
Where proxy_trustpoint specifies the trustpoint
defined by the crypto ca trustpoint command in
defined by the crypto ca trustpoint command in
.
Because the TLS proxy has strict definition of client
proxy and server proxy, two TLS proxy instances
must be defined if either of the entities could initiate
the connection.
proxy and server proxy, two TLS proxy instances
must be defined if either of the entities could initiate
the connection.
Step 7
hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1 3des-sha1 null-sha1
For inbound connections, controls the TLS
handshake parameter for the cipher suite.
handshake parameter for the cipher suite.
Where
cipher_suite
includes des-sha1, 3des-sha1,
aes128-sha1, aes256-sha1, or null-sha1.
Step 8
hostname(config-tlsp)# exit
Exits from the TSL proxy configuration mode.
Step 9
hostname(config)# ssl encryption 3des-shal
aes128-shal
[algorithms]
Specifies the encryption algorithms that the
SSL/TLS protocol uses. Specifying the 3des-shal
and aes128-shal is required. Specifying other
algorithms is optional.
SSL/TLS protocol uses. Specifying the 3des-shal
and aes128-shal is required. Specifying other
algorithms is optional.
Note
The Cisco Intercompany Media Engine
Proxy requires that you use strong
encryption. You must specify this command
when the proxy is licensed using a K9
license.
Proxy requires that you use strong
encryption. You must specify this command
when the proxy is licensed using a K9
license.
Command
Purpose