21-25
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy
Configuring Cisco Intercompany Media Engine Proxy
What to Do Next
Once you have created the TLS proxy, enable it for SIP inspection.
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
Enable the TLS proxy for SIP inspection and define policies for both entities that could initiate the
connection.
The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on
page 21-11 for an illustration explaining the example command lines in this task.
Note If you want to change any Cisco Intercompany Media Engine Proxy settings after you enable SIP
inspection, you must enter the no service-policy
command, and then reconfigure the service policy as
described in this procedure. Removing and reconfiguring the service policy does not affect existing calls;
however, the first call traversing the Cisco Intercompany Media Engine Proxy will fail. Enter the clear
connection command and restart the ASA.
To enable SIP inspection for the Cisco Intercompany Media Engine Proxy, perform the following steps:
Step 6
hostname(config-tlsp)# server trust-point
proxy_trustpoint
Example:
hostname(config-tlsp)# server trust-point local-ent
For inbound connections, specifies the proxy
trustpoint certificate presented during TLS
handshake. The certificate must be owned by the
adaptive security appliance (identity certificate).
Where proxy_trustpoint specifies the trustpoint
defined by the crypto ca trustpoint command in
Step 2 in “Creating Trustpoints and Generating
Certificates” section on page 21-21.
Because the TLS proxy has strict definition of client
proxy and server proxy, two TLS proxy instances
must be defined if either of the entities could initiate
the connection.
Step 7
hostname(config-tlsp)# client cipher-suite
cipher_suite
Example:
hostname(config-tlsp)# client cipher-suite
aes128-sha1 aes256-sha1 3des-sha1 null-sha1
For inbound connections, controls the TLS
handshake parameter for the cipher suite.
Where
cipher_suite includes des-sha1, 3des-sha1,
aes128-sha1, aes256-sha1, or null-sha1.
Step 8
hostname(config-tlsp)# exit
Exits from the TSL proxy configuration mode.
Step 9
hostname(config)# ssl encryption 3des-shal
aes128-shal [algorithms]
Specifies the encryption algorithms that the
SSL/TLS protocol uses. Specifying the 3des-shal
and aes128-shal is required. Specifying other
algorithms is optional.
Note The Cisco Intercompany Media Engine
Proxy requires that you use strong
encryption. You must specify this command
when the proxy is licensed using a K9
license.
Command Purpose