Cisco Cisco ASA for Nexus 1000V Series Switch 技術マニュアル
Once this configuration is complete, a remote test PC should be able to connect to the SSL VPN gateway,
connect via AnyConnect, and ping the CUCM. Ensure the ASA has an AnyConnect for Cisco IP phone
license. (Use the show ver command.) Both TCP and UDP port 443 must be open between the gateway and
the client.
connect via AnyConnect, and ping the CUCM. Ensure the ASA has an AnyConnect for Cisco IP phone
license. (Use the show ver command.) Both TCP and UDP port 443 must be open between the gateway and
the client.
Note: Load−balanced SSL VPN is not supported for VPN phones.
CUCM: ASA SSL VPN with Self−Signed Certificates Configuration
Refer to IP Phone SSL VPN to ASA using AnyConnect for more detailed information.
The ASA must have a license for AnyConnect for Cisco VPN Phone. After you configure the SSL VPN, you
then configure your CUCM for the VPN.
then configure your CUCM for the VPN.
Use this command in order to export the self−signed certificate from the ASA:
ciscoasa(config)# crypto ca export trustpoint name identity−certificate
This command displays a pem−encoded identity certificate to the terminal.
1.
Copy and paste the certificate to a text editor, and save it as a .pem file. Be sure to include the BEGIN
CERTIFICATE and END CERTIFICATE lines, or the certificate will not import correctly. Do not
modify the format of the certificate because this will cause problems when the phone tries to
authenticate to the ASA.
CERTIFICATE and END CERTIFICATE lines, or the certificate will not import correctly. Do not
modify the format of the certificate because this will cause problems when the phone tries to
authenticate to the ASA.
2.
Navigate to Cisco Unified Operating System Administration > Security > Certificate Management >
Upload Certificate/Certificate Chain in order to load the certificate file to the CERTIFICATE
MANAGEMENT section of the CUCM.
Upload Certificate/Certificate Chain in order to load the certificate file to the CERTIFICATE
MANAGEMENT section of the CUCM.
3.
Download the CallManager.pem, CAPF.pem, and Cisco_Manufacturing_CA.pem certificates from
the same area used to load the self−signed certificates from the ASA (see Step 1), and save them to
your desktop.
the same area used to load the self−signed certificates from the ASA (see Step 1), and save them to
your desktop.
4.
For example, in order to import the CallManager.pem to the ASA, use these commands:
ciscoasa(config)# crypto ca trustpoint certificate−name
ciscoasa(config−ca−trustpoint)# enrollment terminal
ciscoasa(config)# crypto ca authenticate certificate−name
1.
When you are prompted to copy and paste the corresponding certificate for the trustpoint,
open the file you saved from the CUCM, then copy and paste the Base64−encoded certificate.
Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines (with
hyphens).
open the file you saved from the CUCM, then copy and paste the Base64−encoded certificate.
Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines (with
hyphens).
2.
Type end, then press Return.
3.
When prompted to accept the certificate, type yes, then press Enter.
4.
Repeat steps 1 to 4 for the other two certificates (CAPF.pem, Cisco_Manufacturing_CA.pem)
from the CUCM.
from the CUCM.
5.
Configure the CUCM for the correct VPN configurations, as described in CUCM IPphone VPN
config.pdf.
config.pdf.
5.
Note: The VPN gateway configured on the CUCM must match the URL that is configured on the VPN
gateway. If the gateway and URL do not match, the phone cannot resolve the address, and you will not see
any debugs on the VPN gateway.
gateway. If the gateway and URL do not match, the phone cannot resolve the address, and you will not see
any debugs on the VPN gateway.
On the CUCM: The VPN gateway URL is https://192.168.1.1/VPNPhone
•
On the ASA, use these commands:
•