Cisco Systems and the ASA Services Module, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring the Public IP Phone Network

15-9

Cisco ASA Series Firewall CLI Configuration Guide

Chapter15 Using the Cisco Unified Communication Wizard

Configuring the Phone Proxy by using the Unified Communication Wizard

See also the Cisco Unified Communications Manager Security Guide for information on Using the

Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC).

If your network includes Cisco IP Communicators (CIPC) or you have LSC enabled IP phones, you must

import the CAPF certificate from the Cisco UCM. The certificate will be used to generate the LSC on

the IP phones.

If the Cisco UCM has more than one CAPF certificate, you must import all of them to the ASA. However,

the wizard supports configuring only one CAPF certificate, which is the default. To import more than

one CAPF certificate, go to Configuration > Device Management > Certificate Management > Identity

Certificates.

You can configure LSC provisioning for additional end-user authentication. See the Cisco Unified

Communications Manager configuration guide for information.

Step1 Check the Enable Certificate Authority Proxy Function check box. The remaining fields in the page

become available.

Step2 Enter the private IP address of the LSC provider.

Step3 In the Public Address field, specify whether to use the IP address of the ASA public interface or enter

an IP address.

Specifying the private and public IP addresses for the LSC provider, creates an access list entry that

allows the IP phones to contact the Cisco UCM by opening the CAPF port for LSC provisioning.

Step4 In the Translation Type field, select the Address only or Address and ports radio button.

The IP phones must contact the CAPF service on the Cisco UCM. The address translation type (Address

only versus Address and ports) you select for CAPF must match the address translation type of the Cisco

UCM on which the CAPF service is running. You set the address translation type for that Cisco UCM

server in the previous step of this wizard (see Configuring Servers for the Phone Proxy, page15-6),

By default, the CAPF Service uses port 3804. Modify this default value only when it is modified on the

Cisco UCM.

Step5 If you selected the Address and ports radio button, enter the private and public ports for the CAPF

service.

Step6 Click the Install CAPF Certificate button. The Install Certificate dialog box appears. See Installing a

Certificate, page15-23.

Step7 Click Next.

Configuring the Public IP Phone Network

The values that you specify in this page generate the address translation rules used for the IP phones and

configure how the ASA handles IP phone settings.

Step1 From the Interface drop-down list, choose the interface on which the ASA listens for connections from

IP phones.

Step2 To preserve Call Manager configuration on the IP phones, check the Preserve the Unified CM’s

configuration on the phone’s service check box. When this check box is uncheck, the following service

settings are disabled on the IP phones:

•Web Access

Cisco Systems Configuring the Public IP Phone Network