50-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter50 Configuring Cisco Mobility Advantage
Configuring Cisco Mobility Advantage
What to Do Next
Once you have created the TLS proxy instance, enable it for MMP inspection. See Enabling the TLS
Proxy for MMP Inspection, page 50-9.
Enabling the TLS Proxy for MMP Inspection
Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes
it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint. The inspect
MMP module verifies the integrity of the MMP headers and passes the OML/HTTP to an appropriate
handler.
Step3 hostname(config-tlsp)# client trust-point proxy_name
Example:
hostname(config-tlsp)# client trust-point cuma_proxy
Specifies the trustpoint and associated certificate
that the ASA uses in the TLS handshake when the
ASA assumes the role of the TLS client.
The certificate must be owned by the ASA (identity
certificate).
Step4 hostname(config-tlsp)# no server authenticate-client Disables client authentication.
Disabling TLS client authentication is required
when the ASA must interoperate with a Cisco UMA
client or clients such as a Web browser that are
incapable of sending a client certificate.
Step5 hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1
Specifies cipher suite configuration.
For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite.
Command Purpose
Command Purpose
Step1 hostname(config)# class-map class_map_name
Example:
hostname(config)# class-map cuma_tlsproxy
Configures the class of traffic to inspect. Traffic
between the Cisco UMA server and client uses MMP
and is handled by MMP inspection.
Where class_map_name is the name of the MMP
class map.
Step2 hostname(config-cmap)# match port tcp eq port
Example:
hostname(config-cmap)# match port tcp eq 5443
Matches the TCP port to which you want to apply
actions for MMP inspection.
The TCP/TLS default port for MMP inspection is
5443.
Step3 hostname(config-cmap)# exit Exits from the Class Map configuration mode.
Step4 hostname(config)# policy-map name
Example:
hostname(config)# policy-map global_policy
Configures the policy map and attaches the action to
the class of traffic.
Step5 hostname(config-pmap)# class classmap-name
Example:
hostname(config-pmap)# class cuma_proxy
Assigns a class map to the policy map so that you
can assign actions to the class map traffic.
Where classmap_name is the name of the Skinny
class map.