Cisco Systems and the ASA Services Module Manual De Usuario
17-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 17 Configuring the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
What to Do Next
Once you have created TLS proxy instance, enable the TLS proxy instance for Skinny and SIP
inspection. See
inspection. See
Enabling the TLS Proxy Instance for Skinny or SIP Inspection
Enable TLS proxy for the Cisco IP Phones and Cisco UCMs in Skinny or SIP inspection. The following
procedure shows how to enable the TLS proxy instance for Skinny inspection.
procedure shows how to enable the TLS proxy instance for Skinny inspection.
Command
Purpose
Step 1
ciscoasa(config)# tls-proxy proxy_name
Example:
ciscoasa(config)# tls-proxy my_proxy
Creates the TLS proxy instance.
Step 2
ciscoasa(config-tlsp)# server trust-point
proxy_trustpoint
Example:
ciscoasa(config-tlsp)# server trust-point ccm_proxy
Specifies the proxy trustpoint certificate to present
during TLS handshake.
during TLS handshake.
The server command configures the proxy
parameters for the original TLS server. In other
words, the parameters for the ASA to act as the
server during a TLS handshake, or facing the
original TLS client.
parameters for the original TLS server. In other
words, the parameters for the ASA to act as the
server during a TLS handshake, or facing the
original TLS client.
Step 3
ciscoasa(config-tlsp)# client ldc issuer ca_tp_name
Example:
ciscoasa(config-tlsp)# client ldc issuer ldc_server
Sets the local dynamic certificate issuer. The local
CA to issue client dynamic certificates is defined by
the crypto ca trustpoint command and the
trustpoint must have proxy-ldc-issuer configured,
or the default local CA server
(LOCAL-CA-SERVER).
CA to issue client dynamic certificates is defined by
the crypto ca trustpoint command and the
trustpoint must have proxy-ldc-issuer configured,
or the default local CA server
(LOCAL-CA-SERVER).
Where
ldc issuer
ca_tp_name
specifies the local
CA trustpoint to issue client dynamic certificates.
Step 4
ciscoasa(config-tlsp)# client ldc key-pair key_label
Example:
ciscoasa(config-tlsp)# client ldc key-pair
phone_common
Sets the keypair.
The keypair value must have been generated with the
crypto key generate command.
crypto key generate command.
Step 5
hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1
Sets the user-defined cipher suite.
For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite, or the one defined by the ssl
encryption command. You can use this command to
achieve difference ciphers between the two TLS
sessions. You should use AES ciphers with the
CallManager server.
the server), the user-defined cipher suite replaces the
default cipher suite, or the one defined by the ssl
encryption command. You can use this command to
achieve difference ciphers between the two TLS
sessions. You should use AES ciphers with the
CallManager server.