Cisco Systems and the ASA Services Module Network Router User Manual


 
18-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 Configuring Cisco Mobility Advantage
Configuring Cisco Mobility Advantage
What to Do Next
Once you have created the TLS proxy instance, enable it for MMP inspection. See Enabling the TLS
Proxy for MMP Inspection, page 18-9.
Enabling the TLS Proxy for MMP Inspection
Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes
it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint. The inspect
MMP module verifies the integrity of the MMP headers and passes the OML/HTTP to an appropriate
handler.
Step 3
hostname(config-tlsp)# client trust-point proxy_name
Example:
hostname(config-tlsp)# client trust-point cuma_proxy
Specifies the trustpoint and associated certificate
that the ASA uses in the TLS handshake when the
ASA assumes the role of the TLS client.
The certificate must be owned by the ASA (identity
certificate).
Step 4
hostname(config-tlsp)# no server authenticate-client
Disables client authentication.
Disabling TLS client authentication is required
when the ASA must interoperate with a Cisco UMA
client or clients such as a Web browser that are
incapable of sending a client certificate.
Step 5
hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1
Specifies cipher suite configuration.
For client proxy (the proxy acts as a TLS client to
the server), the user-defined cipher suite replaces the
default cipher suite.
Command Purpose
Command Purpose
Step 1
hostname(config)# class-map class_map_name
Example:
hostname(config)# class-map cuma_tlsproxy
Configures the class of traffic to inspect. Traffic
between the Cisco UMA server and client uses MMP
and is handled by MMP inspection.
Where class_map_name is the name of the MMP
class map.
Step 2
hostname(config-cmap)# match port tcp eq port
Example:
hostname(config-cmap)# match port tcp eq 5443
Matches the TCP port to which you want to apply
actions for MMP inspection.
The TCP/TLS default port for MMP inspection is
5443.
Step 3
hostname(config-cmap)# exit
Exits from the Class Map configuration mode.
Step 4
hostname(config)# policy-map name
Example:
hostname(config)# policy-map global_policy
Configures the policy map and attaches the action to
the class of traffic.
Step 5
hostname(config-pmap)# class classmap-name
Example:
hostname(config-pmap)# class cuma_proxy
Assigns a class map to the policy map so that you
can assign actions to the class map traffic.
Where classmap_name is the name of the Skinny
class map.