Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Adding or Editing a Record Entry in a CTL File

17-16

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter17 Configuring the Cisco Phone Proxy

Configuring the Phone Proxy

Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security

Token (SAST) key to sign the CTL file itself. This key can be generated on the ASA. A SAST is created

as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case a SAST is not

recoverable, the other one can be used to sign the file later.

Step5 Click Apply to save the CTL file configuration settings.

Adding or Editing a Record Entry in a CTL File

Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.

Use the Add/Edit Record Entry dialog box to specify the trustpoints to be used for the creation of the

CTL file.

Note You can edit an entry in the CTL file by using the Edit Record Entry dialog box; however, changing a

setting in this dialog box does not change related settings for the phone proxy. For example, editing the

IP address for the CUCM or TFTP servers in this dialog changes the setting only in the CTL file and

does not change the actual addresses of those servers or update the address translations required by the

phone proxy.

To modify CTL file settings, we strongly recommend you re-run the Unified Communications Wizard

to edit CTL file settings and ensure proper synchronization with all phone proxy settings.

Add additional record-entry configurations for each entity that is required in the CTL file.

Step1 Open the Configuration > Firewall > Unified Communications > CTL File pane.

Step2 Check the Enable Certificate Trust List File check box to enable the feature.

Step3 In the Type field, specify the type of trustpoint to create:

•cucm: Specifies the role of this trustpoint to be CCM. Multiple CCM trustpoints can be configured.

•cucm-tftp: Specifies the role of this trustpoint to be CCM+TFTP. Multiple CCM+TFTP trustpoints

can be configured.

•tftp: Specifies the role of this trustpoint to be TFTP. Multiple TFTP trustpoints can be configured.

•capf: Specifies the role of this trustpoint to be CAPF. Only one CAPF trustpoint can be configured.

Step4 In the Host field, specify the IP address of the trustpoint. The IP address you specify must be the global

address of the TFTP server or CUCM if NAT is configured. The global IP address is the IP address as

seen by the IP phones because it will be the IP address used for the CTL record for the trustpoint.

Step5 In the Certificate field, specify the Identity Certificate for the record entry in the CTL file. You can create

a new Identity Certificate by clicking Manage. The Manage Identify Certificates dialog box opens. See

the “Configuring Identity Certificates Authentication” section on page40-24 in the general operations

configuration guide.

You can add an Identity Certificate by generating a self-signed certificate, obtaining the certificate

through SCEP enrollment, or by importing a certificate in PKCS-12 format. Choose the best option

based on the requirements for configuring the CTL file.

Cisco Systems Adding or Editing a Record Entry in a CTL File