Cisco Systems and the ASA Services Module Manual De Usuario

Once you have enabled the TLS proxy for SIP inspection, if necessary, configure TLS within the 
enterprise. See 

. 

This task is not required if TCP is allowable within the inside network. 

TLS within the enterprise refers to the security status of the Cisco Intercompany Media Engine trunk as 
seen by the ASA. 

If the transport security for the Cisco Intercompany Media Engine trunk changes on Cisco UCM, it must 
be changed on the ASA as well. A mismatch will result in call failure. The ASA does not support SRTP 
with non-secure IME trunks. The ASA assumes SRTP is allowed with secure trunks. So ‘SRTP Allowed’ 
must be checked for IME trunks if TLS is used. The ASA supports SRTP fallback to RTP for secure IME 
trunk calls. 

Prerequisites

On the local Cisco UCM, download the Cisco UCM certificate. See the Cisco Unified Communications 
Manager documentation for information. You will need this certificate when performing 

 of this 

procedure.

To configure TLS within the local enterprise, perform the following steps on the local ASA:

hostname(config-pmap)# exit

Exits from the policy map configuration mode.

hostname(config)# service-policy policymap_name 

hostname(config)# service-policy ime-policy global

Enables the service policy for SIP inspection for all 
interfaces. 

Where 

 is the name of the policy 

map you created in 

 of this task.

 for information about the 

UC-IME proxy settings. See CLI configuration 
guide for information about the no service-policy

command.