50-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter50 Configuring Cisco Mobility Advantage
Configuration Examples for Cisco Mobility Advantage
object network obj-10.1.1.2-01
host 10.1.1.2
nat (inside,outside) static 192.0.2.140
crypto ca import cuma_proxy pkcs12 sample_passphrase
<cut-paste base 64 encoded pkcs12 here>
quit
! for CUMA server’s self-signed certificate
crypto ca trustpoint cuma_server
enrollment terminal
crypto ca authenticate cuma_server
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
MIIDRTCCAu+gAwIBAgIQKVcqP/KW74VP0NZzL+JbRTANBgkqhkiG9w0BAQUFADCB
[ certificate data omitted ]
/7QEM8izy0EOTSErKu7Nd76jwf5e4qttkQ==
quit
tls-proxy cuma_proxy
server trust-point cuma_proxy
no server authenticate-client
client cipher-suite aes128-sha1 aes256-sha1
class-map cuma_proxy
match port tcp eq 5443
policy-map global_policy
class cuma_proxy
inspect mmp tls-proxy cuma_proxy
service-policy global_policy global
Example 2: Cisco UMC/Cisco UMA Architecture – Security Appliance as TLS Proxy Only
As shown in Figure 50-7 (scenario 2), the ASA functions as the TLS proxy only and works with an
existing firewall. The ASA and the corporate firewall are performing NAT. The corporate firewall will
not be able to predict which client from the Internet needs to connect to the corporate Cisco UMA server.
Therefore, to support this deployment, you can take the following actions:
Set up a NAT rule for inbound traffic that translates the destination IP address 192.0.2.41 to
172.16.27.41.
Set up an interface PAT rule for inbound traffic translating the source IP address of every packet so
that the corporate firewall does not need to open up a wildcard pinhole. The Cisco UMA server
receives packets with the source IP address 192.0.2.183.
hostname(config)# object network obj-0.0.0.0-01
hostname(config-network-object)# subnet 0.0.0.0 0.0.0.0
hostname(config-network-object)# nat (outside,inside) dynamic 192.0.2.183