Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 TLS Proxy

53-15

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter53 Configuring the TLS Proxy for Encrypted Voice Inspection

TLS Proxy

Note To make configuration changes after the local certificate authority has been configured for

the first time, disable the local certificate authority.

c. In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined

RSA key pair used by client dynamic certificates. To see the key pair details, including generation

time, usage, modulus size, and key data, click Show.

To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring

Identity Certificates Authentication” section on page 44-16 for details about the Key Pair fields.

Step6 In the Security Algorithms area, specify the available and active algorithms to be announced or matched

during the TLS handshake.

•Available Algorithms—Lists the available algorithms to be announced or matched during the TLS

handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.

Add—Adds the selected algorithm to the active list.

Remove—Removes the selected algorithm from the active list.

•Active Algorithms—Lists the active algorithms to be announced or matched during the TLS

handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting

as a TLS client to the server), the user-defined algorithms replace the original ones from the hello

message for asymmetric encryption method between the two TLS legs. For example, the leg between

the proxy and Call Manager may be NULL cipher to offload the Call Manager.

Move Up—Moves an algorithm up in the list.

Move Down—Moves an algorithm down in the list.

Step7 Click Apply to save the changes.

TLS Proxy

This feature is supported only for ASA versions 8.0.x prior to 8.0.4 and for version 8.1.

Note This feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version

8.1.2.

Use the TLS Proxy option to enable inspection of SSL encrypted VoIP signaling, namely Skinny and

SIP, interacting with Cisco CallManager.

The TLS Proxy pane lets you define and configure Transaction Layer Security Proxy to enable

inspection of encrypted traffic.

Fields

•TLS Proxy Name—Lists the TLS Proxy name.

•Server—Lists the trustpoint, which is either self-signed or enrolled with a certificate server.

•Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server

dynamic certificates.

Cisco Systems manual TLS Proxy