Filter
Top Products
19-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 19 Configuring Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
• Creating Trustpoints and Generating Certificates, page 19-9
• Installing Certificates, page 19-10
• Creating the TLS Proxy Instance, page 19-12
• Enabling the TLS Proxy for SIP Inspection, page 19-13
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP
Federation
To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where
there is a single Cisco UP that is in the local domain and self-signed certificates are used between the
Cisco UP and the ASA (like the scenario shown in Figure 19-1), perform the following tasks.
Step 1 Create the following static NAT for the local domain containing the Cisco UP.
For the inbound connection to the local domain containing the Cisco UP, create static PAT by entering
the following command:
hostname(config)# object network name
hostname(config-network-object)# host real_ip
hostname(config-network-object)# nat (real_ifc,mapped_ifc) static mapped_ip service {tcp |
udp} real_port mapped_port
Note For each Cisco UP that could initiate a connection (by sending SIP SUBSCRIBE) to the foreign
server, you must also configure static PAT by using a different set of PAT ports.
For outbound connections or the TLS handshake, use dynamic NAT or PAT. The ASA SIP inspection
engine takes care of the necessary translation (fixup).
hostname(config)# object network name
hostname(config-network-object)# subnet real_ip netmask
hostname(config-network-object)# nat (real_ifc,mapped_ifc) dynamic mapped_ip
For information about configuring NAT and PAT for the Cisco Presence Federation proxy, see Chapter 4,
“Configuring Network Object NAT” and Chapter 5, “Configuring Twice NAT”.
Step 2 Create the necessary RSA keypairs and proxy certificate, which is a self-signed certificate, for the
remote entity. See Creating Trustpoints and Generating Certificates, page 19-9.
Step 3 Install the certificates. See Installing Certificates, page 19-10.
Step 4 Create the TLS proxy instance for the Cisco UP clients connecting to the Cisco UP server. See Creating
the TLS Proxy Instance, page 19-12.
Step 5 Enable the TLS proxy for SIP inspection. See Enabling the TLS Proxy for SIP Inspection, page 19-13.
Creating Trustpoints and Generating Certificates
You need to generate the keypair for the certificate (such as cup_proxy_key) used by the ASA, and
configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as
cup_proxy) in the TLS handshake.