Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Phone Proxy Guidelines and Limitations

17-12

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter17 Configuring the Cisco Phone Proxy

Phone Proxy Guidelines and Limitations

Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure

authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP

phone user and each user enters the password on the remote IP phones to retrieve the LSC.

Because using LSC provisioning to authenticate remote IP phones requires the IP phones first register

in nonsecure mode, Cisco recommends LSC provisioning be done inside the corporate network before

giving the IP phones to end-users. Otherwise, having the IP phones register in nonsecure mode requires

the Administrator to open the nonsecure signaling port for SIP and SCCP on the ASA.

See also the Cisco Unified Communications Manager Security Guide for information on Using the

Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC).

Phone Proxy Guidelines and Limitations

This section includes the following topics:

•General Guidelines and Limitations, page17-12

•Media Termination Address Guidelines and Limitations, page17-13

The phone proxy has the following general limitations:

•Only one phone proxy instance can be configured on the ASA by using the phone-proxy command.

See the command reference for information about the phone-proxy command. See also Creating the

Phone Proxy Instance, page 17-18.

•The phone proxy only supports one Cisco UCM cluster. See Creating the CTL File, page17-15 for

the steps to configure the Cisco UCM cluster for the phone proxy.

•The phone proxy is not supported when the ASA is running in transparent mode or multiple context

mode.

•When a remote IP phone calls an invalid internal or external extension, the phone proxy does not

support playing the annunciator message from the Cisco UCM. Instead, the remote IP phone plays

a fast busy signal instead of the annunciator message "Your call cannot be completed ..." However,

when an internal IP phone dials in invalid extension, the annunciator messages plays "Your call

cannot be completed ..."

•Packets from phones connecting to the phone proxy over a VPN tunnel are not inspected by the ASA

inspection engines.

•The phone proxy does not support IP phones sending Real-Time Control Protocol (RTCP) packets

through the ASA. Disable RTCP packets in the Cisco Unified CM Administration console from the

Phone Configuration page. See your Cisco Unified Communications Manager (CallManager)

documentation for information about setting this configuration option.

•When used with CIPC, the phone proxy does not support end-users resetting their device name in

CIPC (Preferences > Network tab > Use this Device Name field) or Administrators resetting the

device name in Cisco Unified CM Administration console (Device menu > Phone Configuration >

Device Name field). To function with the phone proxy, the CIPC configuration file must be in the

Cisco Systems Phone Proxy Guidelines and Limitations