Cisco PIX 500 Series Configuration Manual page 548
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
TLS Proxy for Encrypted Voice Inspection
hostname(config-ca-trustpoint)# proxy-ldc-issuer
hostname(config-ca-trustpoint)# fqdn my_ldc_ca.exmaple.com
hostname(config-ca-trustpoint)# subject-name cn=FW_LDC_SIGNER_172_23_45_200
hostname(config-ca-trustpoint)# keypair ldc_signer_key
hostname(config)# crypto ca enroll ldc_server
This local CA is created as a regular self-signed trustpoint with proxy-ldc-issuer enabled. You may use
the embedded local CA LOCAL-CA-SERVER on the security appliance to issue the LDC.
Create a CTL Provider instance in preparation for a connection from the CTL Client using the following
Step 5
commands, for example:
hostname(config)# ctl-provider my_ctl
hostname(config-ctl-provider)# client interface inside address 172.23.45.1
hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encrypted
hostname(config-ctl-provider)# export certificate ccm_proxy
hostname(config-ctl-provider)# ctl install
The username and password must match the username and password for Cisco Unified CallManager
administration. The trustpoint name in the export command is the proxy certificate for the Cisco Unified
CallManager server.
The default port number listened by the CTL Provider is TCP 2444, which is the default CTL port on the
Cisco Unified CallManager. Use the service port command to change the port number if a different port
is used by the Cisco Unified CallManager cluster.
Create a TLS proxy instance using the following commands, for example:
Step 6
hostname(config)# tls-proxy my_proxy
hostname(config-tlsp)# server trust-point ccm_proxy
hostname(config-tlsp)# client ldc issuer ldc_server
hostname(config-tlsp)# client ldc keypair phone_common
hostname(config-tlsp)# client cipher-suite aes128-sha1 aes256-sha1
The server commands configure the proxy parameters for the original TLS server. In other words, the
parameters for the security appliance to act as the server during a TLS handshake, or facing the original
TLS client. The client commands configure the proxy parameters for the original TLS client. In other
words, the parameters for the security appliance to act as the client during a TLS handshake, or facing
the original TLS server.
Enable TLS proxy for the Cisco IP Phones and Cisco Unified CallManagers in Skinny or SIP inspection
Step 7
using the following commands, for example:
hostname(config)# class-map sec_skinny
hostname(config-cmap)# match port tcp eq 2443
hostname(config)# policy-map type inspect skinny skinny_inspect
hostname(config-pmap)# parameters
hostname(config-pmap-p)# ! Skinny inspection parameters
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect skinny skinny_inspect
hostname(config-pmap)# class sec_skinny
hostname(config-pmap-c)# inspect skinny skinny_inspect tls-proxy my_proxy
hostname(config)# service-policy global_policy global
Export the local CA certificate (ldc_server) and install it as a trusted certificate on the Cisco Unified
Step 8
CallManager server.
Use the following command to export the certificate if a trust-point with proxy-ldc-issuer is used
a.
as the signer of the dynamic certificates, for example:
Cisco Security Appliance Command Line Configuration Guide
25-84
Chapter 25
Configuring Application Layer Protocol Inspection
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
