Cisco Systems and the ASA Services Module Manual De Usuario

crypto ca trustpoint ldc_server

enrollment self

proxy_ldc_issuer

fqdn my-ldc-ca.exmaple.com

subject-name cn=FW_LDC_SIGNER_172_23_45_200

keypair ldc_signer_key

crypto ca enroll ldc_server

tls-proxy my_proxy

server trust-point _internal_PP_myctl

client ldc issuer ldc_server

client ldc keypair phone_common

client cipher-suite aes128-sha1 aes256-sha1

media-termination my_mediaterm

address 192.0.2.25 interface inside

address 10.10.0.25 interface outside

phone-proxy mypp

media-termination my_mediaterm

tftp-server address 192.0.2.101 interface inside

tls-proxy mytls

ctl-file myctl

cluster-mode mixed

class-map sec_sccp

match port tcp 2443

class-map sec_sip

match port tcp eq 5061

policy-map pp_policy

class sec_sccp

inspect skinny phone-proxy mypp

class sec_sip

inspect sip phone-proxy mypp

service-policy pp_policy interface outside

 shows an example of the configuration for a mixed-mode Cisco UCM cluster where LSC 

provisioning is required using the following topology. 

Doing LSC provisioning for remote IP phones is not recommended because it requires that the IP phones 
first register and they have to register in nonsecure mode. Having the IP phones register in nonsecure 
mode requires the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA. If 
possible, LSC provisioning should be done inside the corporate network before giving the IP phones to 
the end-users.

In this sample, you create an ACL to allow the IP phones to contact the TFTP server and to allow the IP 
phones to register in nonsecure mode by opening the nonsecure port for SIP and SCCP as well as the 
CAPF port for LSC provisioning. 

Additionally, you create the CAPF trustpoint by copying and pasting the CAPF certificate from the Cisco 
UCM Certificate Management software.