52-15
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter52 Configuring the Cisco Phone Proxy
Configuring the Phone Proxy
Create the CTL File that will be presented to the IP phones during the TFTP. The address must be the
translated or global address of the TFTP server or CUCM if NAT is configured.
When the file is created, it creates an internal trustpoint used by the Phone Proxy to sign the TFTP files.
The trustpoint is named _internal_PP_ctl-instance_filename.
Note When a CTL file instance is assigned to the Phone Proxy, you cannot modify it in the CTL File pane and
the pane is disabled. To modify a CTL File that is assigned to the Phone Proxy, go to the Phone Proxy
pane (Configuration > Firewall > Unified Communications > Phone Proxy), and deselect the Use the
Certificate Trust List File generated by the CTL instance check box.
Use the Create a Certificate Trust List (CTL) File pane to create a CTL file for the Phone Proxy. This
pane creates the CTL file that is presented to the IP phones during the TFTP handshake with the ASA.
For a detailed overview of the CTL file used by the Phone Proxy, see the “Creating the CTL File” section
on page 52-14.
The Create a Certificate Trust List (CTL) File pane is used to configure the attributes for generating the
CTL file. The name of the CTL file instance is generated by the ASDM. When the user tries to edit the
CTL file instance configuration, the ASDM automatically generates the shutdown CLI command first
and the no shutdown CLI command as the last command.
This pane is available from the Configuration > Firewall > Unified Communications > CTL File pane.
Step1 Open the Configuration > Firewall > Unified Communications > CTL File pane.
Step2 Check the Enable Certificate Trust List File check box to enable the feature.
Step3 To specify the CTL file to use for the Phone Proxy, perform one of the following:
If there is an existing CTL file available, download the CTL file to Flash memory by using the File
Management Tool in the ASDM Tools menu. Select the Use certificates present in the CTL stored
in flash radio button and specify the CTL file name and path in the text box.
Use an existing CTL file to install the trustpoints for each entity in the network (CUCM, CUCM and
TFTP, TFTP server, CAPF) that the IP phones must trust. If you have an existing CTL file that
contains the correct IP addresses of the entities (namely, the IP address that the IP phones use for
the CUCM or TFTP servers), you can be use it to create a new CTL file. Store a copy of the existing
CTL file to Flash memory and rename it something other than CTLFile.tlv
If there is no existing CTL file available, select Create new CTL file radio button.
Add Record entries for each entity in the network such as CUCM, TFTP, and CUCM-TFTP option
by clicking Add. The Add Record Entry dialog box opens. See Adding or Editing a Record Entry in
a CTL File, page 52-16.
Step4 Specify the number SAST certificate tokens required. The default is 2. maximum allowed is 5.
Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security
Token (SAST) key to sign the CTL file itself. This key can be generated on the ASA. A SAST is created
as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case a SAST is not
recoverable, the other one can be used to sign the file later.
Step5 Click Apply to save the CTL file configuration settings.