21-27
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy
Configuring Cisco Intercompany Media Engine Proxy
What to Do Next
Once you have enabled the TLS proxy for SIP inspection, if necessary, configure TLS within the
enterprise. See (Optional) Configuring TLS within the Local Enterprise, page 21-27.
(Optional) Configuring TLS within the Local Enterprise
This task is not required if TCP is allowable within the inside network.
TLS within the enterprise refers to the security status of the Cisco Intercompany Media Engine trunk as
seen by the ASA.
Note If the transport security for the Cisco Intercompany Media Engine trunk changes on Cisco UCM, it must
be changed on the ASA as well. A mismatch will result in call failure. The ASA does not support SRTP
with non-secure IME trunks. The ASA assumes SRTP is allowed with secure trunks. So ‘SRTP Allowed’
must be checked for IME trunks if TLS is used. The ASA supports SRTP fallback to RTP for secure IME
trunk calls.
Prerequisites
On the local Cisco UCM, download the Cisco UCM certificate. See the Cisco Unified Communications
Manager documentation for information. You will need this certificate when performing Step 6 of this
procedure.
Procedure
To configure TLS within the local enterprise, perform the following steps on the local ASA:
Step 14
hostname(config-pmap)# exit
Exits from the policy map configuration mode.
Step 15
hostname(config)# service-policy policymap_name
global
Examples:
hostname(config)# service-policy ime-policy global
Enables the service policy for SIP inspection for all
interfaces.
Where
policymap_name is the name of the policy
map you created in Step 7 of this task.
See Creating the Cisco Intercompany Media Engine
Proxy, page 21-18 for information about the
UC-IME proxy settings. See CLI configuration
guide for information about the no service-policy
command.
Command Purpose