Cisco Cisco ASA 5555-X Adaptive Security Appliance - No Payload Encryption 기술 매뉴얼

Contributed by Nicholas Carrieri, William Ryan Bennett, and Walter
Lopez, Cisco TAC Engineers.
Dec 19, 2013

Introduction
Prerequisites
     Requirements
     Components Used
Configure
     Basic ASA SSL VPN Configuration
        CUCM: ASA SSL VPN with Self−Signed Certificates Configuration
        CUCM: ASA SSL VPN with Third−Party Certificates Configuration
     Basic IOS SSL VPN Configuration
        CUCM: IOS SSL VPN with Self−Signed Certificates Configuration
        CUCM: IOS SSL VPN with Third−Party Certificates Configuration
     Unified CME: ASA/Router SSL VPN with Self−Signed Certificates/Third−Party Certificates
Configuration
     UC 520 IP Phones with SSL VPN Configuration
Verify
Troubleshoot

This document describes how to configure IP phones over a Secure Sockets Layer VPN (SSL VPN), also
known as a WebVPN. Two Cisco Unified Communications Managers (CallManagers) and three types of
certificates are used with this solution. The CallManagers are:

Cisco Unified Communications Manager (CUCM)

• 

Cisco Unified Communications Manager Express (Cisco Unified CME)

• 

The certificate types are:

Self−signed certificates

• 

Third−party certificates, such as Entrust, Thawte, and GoDaddy

• 

Cisco IOS

®

/Adaptive Security Appliance (ASA) certificate authority (CA)

• 

The key concept to understand is that, once the configuration on the SSL VPN gateway and CallManager are
completed, you must join the IP phones locally. This enables the phones to join the CUCM and to use the
correct VPN information and certificates. If the phones are not joined locally, they cannot find the SSL VPN
gateway and do not have the correct certificates to complete the SSL VPN handshake.

The most common configurations are CUCM/Unified CME with ASA self−signed certificates and Cisco IOS
self−signed certificates. Consequently, they are the easiest to configure.