8-8
ASDM configuration guide
Chapter8 Using the Cisco Unified Communication Wizard
Configuring the Phone Proxy by using the Unified Communication Wizard
If the Use interface IP radio button is selected, you must specify port translation settings in the Voice
and TFTP sections. Address-only translation is available only when you specify an IP address other than
the IP address of the public interface.
When you select the Address only radio button, the ASA performs address translation on all traffic
between the server and the IP phones. Selecting the Address and ports radio button limits address
translation to the specified ports.
Step5 (Unified CM or Unified CM + TFTP servers only) In the Voice section, configure inspection of SIP or
SCCP protocol traffic, or both SIP and SCCP protocol traffic by completing the following fields:
a. In the Translation Type field, specify whether to use the Address only or the Address and ports.
When the deployment has redundant Cisco UCM servers and dedicated servers for TFTP and CAPF
services, select Address only for voice address translation.
Select the Address and ports option when you want to limit address translation to the specified ports.
b. In the Voice Protocols field, select the inspection protocols supported by the IP phones deployed in
the enterprise. Depending on which inspection protocols you select—SCCP, SIP, or SCCP and
SIP—only the ports fields for the selected voice protocols are available.
c. In the Port Translation section, enter the private and public ports for the voice protocols.
The default values for the voice ports appear in the text fields. If necessary, change the private ports
to match the settings on the Cisco UCM. The values you set for the public ports are used by the IP
phones to traverse the ASA and communicate with the Cisco UCM.
The secure SCCP private port and public port are automatically configured. These port numbers are
automatically set to the value of the non-secure port number plus 443.
Step6 (TFTP or Unified CM + TFTP servers only) In the TFTP section, you can select either Address only or
Address and port for address translation. Cisco recommends that you specify Address and port for
increased security. Specifying Address and port configures the TFTP server to listen on port 69 for TFTP
requests.
When the server type is Unified CM + TFTP, the wizard configures the same type of address translation
for Voice and TFTP; for example, when the server type is Unified CM + TFTP and the Address only
option is selected, the wizard creates a global address translation rule for all traffic to and from the
server. In this case, configuring port translation for the TFTP server would be redundant.
Step7 Click OK to add the server to the phone proxy configuration and return to step 2 of the wizard.
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones
As an alternative to authenticating remote IP phones through the TLS handshake, you can configure
authentication via locally significant certificate (LSC) provisioning. With LSC provisioning, you create
a password for each remote IP phone user and each user enters the password on the remote IP phones to
retrieve the LSC.
Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register
in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before
giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires
the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA.
See also the Cisco Unified Communications Manager Security Guide for information on Using the
Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC).