Creating the tls proxy – Cisco ASA 5505 User Manual
Page 1112
52-24
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 52 Configuring Cisco Intercompany Media Engine Proxy
Configuring Cisco Intercompany Media Engine Proxy
Creating the TLS Proxy
Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS
handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS
handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the
TLS proxy.
Create TLS proxy instances for the local and remote entity initiated connections respectively. The entity
that initiates the TLS connection is in the role of “TLS client.” Because the TLS proxy has a strict
definition of “client” and “server” proxy, two TLS proxy instances must be defined if either of the
entities could initiate the connection.
The example command lines in this task are based on a basic (in-line) deployment. See
Figure 52-6 on
page 52-11
for an illustration explaining the example command lines in this task.
To create the TLS proxy, perform the following steps:
Command
Purpose
Step 1
hostname(config)# tls-proxy proxy_name
Example:
hostname(config)# tls-proxy local_to_remote-ent
Creates the TLS proxy for the outbound
connections.
Step 2
hostname(config-tlsp)# client trust-point
proxy_trustpoint
Example:
hostname(config-tlsp)# client trust-point local-ent
For outbound connections, specifies the trustpoint
and associated certificate that the adaptive security
appliance uses in the TLS handshake when the
adaptive security appliance assumes the role of the
TLS client. The certificate must be owned by the
adaptive security appliance (identity certificate).
Where proxy_trustpoint specifies the trustpoint
defined by the crypto ca trustpoint command in
Step 2
in
“Creating Trustpoints and Generating
Certificates” section on page 52-21
.
Step 3
hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1 3des-sha1 null-sha1
For outbound connections, controls the TLS
handshake parameter for the cipher suite.
Where
cipher_suite
includes des-sha1, 3des-sha1,
aes128-sha1, aes256-sha1, or null-sha1.
For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite, or the one defined by the ssl
encryption command. Use this command to achieve
difference ciphers between the two TLS sessions.
You should use AES ciphers with the Cisco UCM
server.
Step 4
hostname(config-tlsp)# exit
Exits from the TLS proxy configuration mode.
Step 5
hostname(config)# tls-proxy proxy_name
Example:
hostname(config)# tls-proxy remote_to_local-ent
Create the TLS proxy for inbound connections.