Cisco ASA 5505 Configuration Manual page 964

Configuring the Phone Proxy
•
Task Flow for Configuring the Phone Proxy
This feature is not supported for the Adaptive Security Appliance version 8.1.2.
Note
Configuring the Phone Proxy requires the following steps:
Step 1: Create the CTL file. See
Step 2: Create the TLS Proxy instance to handle the encrypted signaling. See
Instance, page
Step 3: Create the Phone Proxy instance. See the
page
Step 4: Configure the media termination address for the Phone Proxy. See
Termination Instance, page
Before you enable SIP and Skinny inspection for the Phone Proxy (which is done by applying the Phone
Note
Proxy to a service policy rule), the Phone Proxy must have an MTA instance, TLS Proxy, and CTL file
assigned to it before the Phone Proxy can be applied to a service policy. Additionally, once a Phone
Proxy is applied to a service policy rule, the Phone Proxy cannot be changed or removed.
Step 5: Enable the Phone Proxy with SIP and Skinny inspection. See
Skinny (SCCP) Inspection, page
Creating the CTL File
Create a Certificate Trust List (CTL) file that is required by the Phone Proxy. Specify the certificates
needed by creating a new CTL file or by specifying the path of an exiting CTL file to parse from Flash
memory.
Create trustpoints and generate certificates for each entity in the network (CUCM, CUCM and TFTP,
TFTP server, CAPF) that the IP phones must trust. The certificates are used in creating the CTL file. You
need to create trustpoints for each CUCM (primary and secondary if a secondary CUCM is used) and
TFTP server in the network. The trustpoints need to be in the CTL file for the phones to trust the CUCM.
Create the CTL File that will be presented to the IP phones during the TFTP. The address must be the
translated or global address of the TFTP server or CUCM if NAT is configured.
When the file is created, it creates an internal trustpoint used by the Phone Proxy to sign the TFTP files.
The trustpoint is named _internal_PP_ctl-instance_filename.
When a CTL file instance is assigned to the Phone Proxy, you cannot modify it in the CTL File pane and
Note
the pane is disabled. To modify a CTL File that is assigned to the Phone Proxy, go to the Phone Proxy
pane (Configuration > Firewall > Unified Communications > Phone Proxy), and deselect the Use the
Certificate Trust List File generated by the CTL instance check box.
Cisco ASA 5500 Series Configuration Guide using ASDM
43-14
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy, page 43-20
44-8.
43-17.
43-16.
Creating the CTL File, page
"Creating the Phone Proxy Instance" section on
38-36.
Chapter 43 Configuring the Cisco Phone Proxy
43-14.
Adding a TLS Proxy
Creating the Media
SIP Inspection, page 38-23 and
OL-20339-01