Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
53-5
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 53 Configuring the TLS Proxy for Encrypted Voice Inspection
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
For more information about licensing, see Chapter 4, “Managing Feature Licenses.”
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Before configuring TLS proxy, the following prerequisites are required:
You must set clock on the security appliance before configuring TLS proxy. To set the clock
manually and display clock, use the clock set and show clock commands. We recommend that the
security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS
handshake may fail due to certificate validation failure if clock is out of sync between the security
appliance and the Cisco Unified CallManager server.
3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default
cipher used by the Cisco Unified CallManager and Cisco IP Phone.
Import the following certificates which are stored on the Cisco UCM. These certificates are required
by the ASA for the phone proxy.
Cisco_Manufacturing_CA
CAP-RTP-001
CAP-RTP-002
CAPF certificate (Optional)
If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF
certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you
must import all of them to the ASA.
See Chapter 52, “Configuring the Cisco Phone Proxy.”For example, the CA Manufacturer certificate
is required by the phone proxy to validate the IP phone certificate.
Configuring the TLS Proxy for Encrypted Voice Inspection
This section includes the following topics:
Configure TLS Proxy Pane, page 53-7
Adding a TLS Proxy Instance, page 53-8
Add TLS Proxy Instance Wizard – Server Configuration, page 53-9
Add TLS Proxy Instance Wizard – Client Configuration, page 53-10
Add TLS Proxy Instance Wizard – Other Steps, page 53-12
Edit TLS Proxy Instance – Server Configuration, page 53-13
Edit TLS Proxy Instance – Client Configuration, page 53-14
ASA 5550 2000 4500
ASA 5580 4000 13,000
Table 53-1 Default and Maximum TLS Sessions on the Security Appliance
Security Appliance Platform Default TLS Sessions Maximum TLS Sessions