49-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter49 Configuring the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
What to Do Next
Once you have created TLS proxy instance, enable the TLS proxy instance for Skinny and SIP
inspection. See Enabling the TLS Proxy Instance for Skinny or SIP Inspection, page49-13.
Enabling the TLS Proxy Instance for Skinny or SIP Inspection
Enable TLS proxy for the Cisco IP Phones and Cisco UCMs in Skinny or SIP inspection. The following
procedure shows how to enable the TLS proxy instance for Skinny inspection.
Command Purpose
Step1 hostname(config)# tls-proxy proxy_name
Example:
hostname(config)# tls-proxy my_proxy
Creates the TLS proxy instance.
Step2 hostname(config-tlsp)# server trust-point
proxy_trustpoint
Example:
hostname(config-tlsp)# server trust-point ccm_proxy
Specifies the proxy trustpoint certificate to present
during TLS handshake.
The server command configures the proxy
parameters for the original TLS server. In other
words, the parameters for the ASA to act as the
server during a TLS handshake, or facing the
original TLS client.
Step3 hostname(config-tlsp)# client ldc issuer ca_tp_name
Example:
hostname(config-tlsp)# client ldc issuer ldc_server
Sets the local dynamic certificate issuer. The local
CA to issue client dynamic certificates is defined by
the crypto ca trustpoint command and the
trustpoint must have proxy-ldc-issuer configured,
or the default local CA server
(LOCAL-CA-SERVER).
Where ldc issuer ca_tp_name specifies the local
CA trustpoint to issue client dynamic certificates.
Step4 hostname(config-tlsp)# client ldc key-pair key_label
Example:
hostname(config-tlsp)# client ldc key-pair
phone_common
Sets the keypair.
The keypair value must have been generated with the
crypto key generate command.
Step5 hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1
Sets the user-defined cipher suite.
For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite, or the one defined by the ssl
encryption command. You can use this command to
achieve difference ciphers between the two TLS
sessions. You should use AES ciphers with the
CallManager server.