51-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter51 Configuring Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
Creating the TLS Proxy Instance, page51-12
Enabling the TLS Proxy for SIP Inspection, page51-13
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where
there is a single Cisco UP that is in the local domain and self-signed certificates are used between the
Cisco UP and the ASA (like the scenario shown in Figure51-1), perform the following tasks.
Step1 Create the following static NAT for the local domain containing the Cisco UP.
For the inbound connection to the local domain containing the Cisco UP, create static PAT by entering
the following command:
hostname(config)# object network name
hostname(config-network-object)# host real_ip
hostname(config-network-object)# nat (real_ifc,mapped_ifc) static mapped_ip service {tcp |
udp} real_port mapped_port
Note For each Cisco UP that could initiate a connection (by sending SIP SUBSCRIBE) to the foreign
server, you must also configure static PAT by using a different set of PAT ports.
For outbound connections or the TLS handshake, use dynamic NAT or PAT. The ASA SIP inspection
engine takes care of the necessary translation (fixup).
hostname(config)# object network name
hostname(config-network-object)# subnet real_ip netmask
hostname(config-network-object)# nat (real_ifc,mapped_ifc) dynamic mapped_ip
For information about configuring NAT and PAT for the Cisco Presence Federation proxy, see
Chapter 30, “Configuring Network Object NAT” and Chapter31, “Configuring Twice NAT”.
Step2 Create the necessary RSA keypairs and proxy certificate, which is a self-signed certificate, for the
remote entity. See Creating Trustpoints and Generating Certificates, page51-9.
Step3 Install the certificates. See Installing Certificates, page51-10.
Step4 Create the TLS proxy instance for the Cisco UP clients connecting to the Cisco UP server. See Creating
the TLS Proxy Instance, page 51-12.
Step5 Enable the TLS proxy for SIP inspection. See Enabling the TLS Proxy for SIP Inspection, page51-13.
Creating Trustpoints and Generating Certificates
You need to generate the keypair for the certificate (such as cup_proxy_key) used by the ASA, and
configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as
cup_proxy) in the TLS handshake.