Cisco Systems and the ASA Services Module Manual De Usuario

To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where 
there is a single Cisco UP that is in the local domain and self-signed certificates are used between the 
Cisco UP and the ASA (like the scenario shown in 

), perform the following tasks. 

Create the following static NAT for the local domain containing the Cisco UP.

For the inbound connection to the local domain containing the Cisco UP, create static PAT by entering 
the following command: 

hostname(config)# object network name

hostname(config-network-object)# host real_ip

hostname(config-network-object)# nat (real_ifc,mapped_ifc) static mapped_ip service {tcp | 

} real_port mapped_port

For each Cisco UP that could initiate a connection (by sending SIP SUBSCRIBE) to the foreign 
server, you must also configure static PAT by using a different set of PAT ports.

For outbound connections or the TLS handshake, use dynamic NAT or PAT. The ASA SIP inspection 
engine takes care of the necessary translation (fixup).

hostname(config)# object network name

hostname(config-network-object)# subnet real_ip netmask

hostname(config-network-object)# nat (real_ifc,mapped_ifc) dynamic mapped_ip

For information about configuring NAT and PAT for the Cisco Presence Federation proxy, see 

 and 

Create the necessary RSA keypairs and proxy certificate, which is a self-signed certificate, for the 
remote entity. See 

.

Install the certificates. See 

Create the TLS proxy instance for the Cisco UP clients connecting to the Cisco UP server. See 

.

Enable the TLS proxy for SIP inspection. See 

. 

You need to generate the keypair for the certificate (such as 

cup_proxy_key

) used by the ASA, and 

configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as 

cup_proxy

) in the TLS handshake.