Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Add TLS Proxy Instance Wizard Other Steps

18-12

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection

CTL Provider

To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring

Identity Certificates Authentication” section on page 40-24 in the general operations configuration

guide for details about the Key Pair fields.

Step 4 In the Security Algorithms area, specify the available and active algorithms to be announced or matched

during the TLS handshake.

• Available Algorithms—Lists the available algorithms to be announced or matched during the TLS

handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.

Add—Adds the selected algorithm to the active list.

Remove—Removes the selected algorithm from the active list.

• Active Algorithms—Lists the active algorithms to be announced or matched during the TLS

handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting

as a TLS client to the server), the user-defined algorithms replace the original ones from the hello

message for asymmetric encryption method between the two TLS legs. For example, the leg between

the proxy and Call Manager may be NULL cipher to offload the Call Manager.

Move Up—Moves an algorithm up in the list.

Move Down—Moves an algorithm down in the list.

Step 5 Click Next.

The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box

provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional

(see Add TLS Proxy Instance Wizard – Other Steps, page 18-12).

Add TLS Proxy Instance Wizard – Other Steps

Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.

The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to

make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the

TLS Proxy configuration:

• Export the local CA certificate or LDC Issuer and install them on the original TLS server.

To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management >

Identity Certificates > Export. See the “Exporting an Identity Certificate” section on page 40-27 in

the general operations configuration guide.

• For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See

SIP Inspection, page 12-20 and Skinny (SCCP) Inspection, page 12-32. When you are configuring

the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because

the feature supports only the SIP protocol.

• For the TLS Proxy for CUMA, enable MMP inspection.

• When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients,

perform the following:

–

Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL

file on the ASA.

Cisco Systems Add TLS Proxy Instance Wizard Other Steps