Support User Manuals

Cisco Systems ASA 5585-X Network Router User Manual

Open as PDF

of 2086

53-5

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter 53 Configuring the TLS Proxy for Encrypted Voice Inspection

Prerequisites for the TLS Proxy for Encrypted Voice Inspection

For more information about licensing, see Chapter 4, “Managing Feature Licenses.”

Prerequisites for the TLS Proxy for Encrypted Voice Inspection

Before configuring TLS proxy, the following prerequisites are required:

• You must set clock on the security appliance before configuring TLS proxy. To set the clock

manually and display clock, use the clock set and show clock commands. We recommend that the

security appliance use the same NTP server as the Cisco Unified CallManager cluster. TLS

handshake may fail due to certificate validation failure if clock is out of sync between the security

appliance and the Cisco Unified CallManager server.

• 3DES-AES license is needed to interoperate with the Cisco Unified CallManager. AES is the default

cipher used by the Cisco Unified CallManager and Cisco IP Phone.

• Import the following certificates which are stored on the Cisco UCM. These certificates are required

by the ASA for the phone proxy.

–

Cisco_Manufacturing_CA

–

CAP-RTP-001

–

CAP-RTP-002

–

CAPF certificate (Optional)

If LSC provisioning is required or you have LSC enabled IP phones, you must import the CAPF

certificate from the Cisco UCM. If the Cisco UCM has more than one CAPF certificate, you

must import all of them to the ASA.

See Chapter 52, “Configuring the Cisco Phone Proxy.”For example, the CA Manufacturer certificate

is required by the phone proxy to validate the IP phone certificate.

Configuring the TLS Proxy for Encrypted Voice Inspection

This section includes the following topics:

• Configure TLS Proxy Pane, page 53-7

• Adding a TLS Proxy Instance, page 53-8

• Add TLS Proxy Instance Wizard – Server Configuration, page 53-9

• Add TLS Proxy Instance Wizard – Client Configuration, page 53-10

• Add TLS Proxy Instance Wizard – Other Steps, page 53-12

• Edit TLS Proxy Instance – Server Configuration, page 53-13

• Edit TLS Proxy Instance – Client Configuration, page 53-14

ASA 5550 2000 4500

ASA 5580 4000 13,000

Table 53-1 Default and Maximum TLS Sessions on the Security Appliance

Security Appliance Platform Default TLS Sessions Maximum TLS Sessions

previous next