15-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter15 Using the Cisco Unified Communication Wizard
Configuring the Phone Proxy by using the Unified Communication Wizard
PC Port
Voice VLAN access
Gratuitous ARP
Span to PC Port
Step3 To configure address translation for IP phones, check the Enable address translation for IP phones check
box. Select whether to use the IP address of the ASA private interface (which you selected in step 2 of
the wizard) or enter an IP address.
Configuring address translation for IP phone configures the address used by the IP phones. All traffic
from the outside network converges into one source IP address so that, if there is another corporate
firewall in the network, a pinhole needs to be opened only for that IP address rather than for all traffic.
Step4 To configure an HTTP proxy for the Phone Proxy feature that is written into the IP phone's configuration
file under the <proxyServerURL> tag, do the following:
a. Check the Configure an HTTP proxy to redirect phone URLs... check box.
b. In the IP Address field, type the IP address of the HTTP proxy
c. In the Port field, enter the listening port of the HTTP proxy.
The IP address you enter should be the global IP address based on where the IP phone and HTTP
proxy server is located. You can enter a hostname in the IP Address field when that hostname can
be resolved to an IP address by the adaptive security appliance (for example, DNS lookup is
configured) because the adaptive security appliance will resolve the hostname to an IP address. If a
port is not specified, the default will be 8080.
d. In the Interface field, select the interface on which the HTTP proxy resides on the adaptive security
appliance.
Setting the proxy server configuration option for the Phone Proxy allows for an HTTP proxy on the
DMZ or external network in which all the IP phone URLs are directed to the proxy server for
services on the phones. This setting accommodates nonsecure HTTP traffic, which is not allowed
back into the corporate network.
Step5 Click Next.
Configuring the Media Termination Address for Unified Communication Proxies
The data from this step generates the MTA instance to be added to the Phone Proxy and the UC-IME
proxy.
The phone proxy and the UC-IME proxy use the media termination address for Secure RTP (SRTP) and
RTP traffic. SRTP traffic sent from external IP phones to the internal network IP phone via the ASA is
converted to RTP traffic. The traffic is terminated on the adaptive security appliance. SRTP provides
message authentication and replay protection to Internet media traffic such as audio and video. RTP
defines a standardized packet format for delivering audio and video over the Internet.
For the UC-IME proxy and the Phone Proxy to be fully functional, you must ensure that the public IP
address for the media termination address (MTA) is accessible from the Internet. The summary page of
the Unified Communication Wizard reminds you of this requirement.
The MTA IP addresses that you specify must meet specific requirements. See Media Termination
Instance Prerequisites, page16-6 for information.