Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

View all the pages

Add page 461 to Favourites

image text

Enable zoom

18-9
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
Adding a TLS Proxy Instance
NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP
signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified
Communications features on the ASA.
This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy
pane.
Step 1Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2To add a new TLS Proxy Instance, click Add.
The Add TLS Proxy Instance Wizard opens.
Step 3In the TLS Proxy Name field, type the TLS Proxy name.
Step 4Click Next.
The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens. In this step of the wizard,
configure the server proxy parameters for original TLS Server—the Cisco Unified Call Manager
(CUCM) server, the Cisco Unified Presence Server (CUPS), or the Cisco Unified Mobility Advantage
(CUMA) server. See Add TLS Proxy Instance Wizard – Server Configuration, page 18-9.
After configuring the server proxy parameters, the wizard guides you through configuring client proxy
parameters (see Add TLS Proxy Instance Wizard – Client Configuration, page 18-10) and provides
instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional (see Add
TLS Proxy Instance Wizard – Other Steps, page 18-12).
Add TLS Proxy Instance Wizard – Server Configuration
NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP
signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified
Communications features on the ASA.
The Add TLS Proxy Instance Wizard is available from the Configuration > Firewall > Unified
Communications > TLS Proxy pane.
Step 1Complete the first step of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance,
page 18-9.
The Add TLS Proxy Instance Wizard – Server Configuration dialog box opens.
Step 2Specify the server proxy certificate by doing one of the following:
To add a new certificate, click Manage. The Manage Identify Certificates dialog box opens.

Add page 462 to Favourites

image text

Enable zoom

18-10
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM
certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring
Identity Certificates Authentication” section on page 40-55 in the general operations configuration
guide.
To select an existing certificate, select one from the drop-down list.
When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a
filename beginning with _internal_PP_. When you create the CTL file for the Phone Proxy, the
ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint
is named _internal_PP_ctl-instance_filename.
The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The
trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example,
for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with
the IP phones.
Step 3To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS
server during TLS handshake between the proxy and the TLS server, click Install TLS Server’s
Certificate.
The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section on
page 40-10 in the general operations configuration guide. Click Add to open the Install Certificate
dialog box. See the “Adding or Installing a CA Certificate” section on page 40-13 in the general
operations configuration guide.
When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate
and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP
phones on behalf of the CUCM server.
Step 4To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check
the Enable client authentication during TLS Proxy handshake check box.
When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable
the check box when the client is incapable of sending a client certificate.
Step 5Click Next.
The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens. In this step of the wizard,
configure the client proxy parameters for original TLS Client—the CUMC client for Mobile Advantage,
CUP or MS LCS/OCS client for Presence Federation, or the IP phone for the Phone Proxy. See Add TLS
Proxy Instance Wizard – Client Configuration, page 18-10.
After configuring the client proxy parameters, the wizard provides instructions on the steps to complete
outside the ASDM to make the TLS Proxy fully functional (see Add TLS Proxy Instance Wizard – Other
Steps, page 18-12).
Add TLS Proxy Instance Wizard – Client Configuration
NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.
Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP
signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified
Communications features on the ASA.

Add page 463 to Favourites

image text

Enable zoom

18-11
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy
pane.
Step 1Complete the first two steps of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance,
page 18-9 and Add TLS Proxy Instance Wizard – Client Configuration, page 18-10.
The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens.
Step 2To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option
when the client proxy certificate is being used between two servers; for example, when configuring the
TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS
client and TLS server are both servers.
a.Check the Specify the proxy certificate for the TLS Client... check box.
b.Select a certificate from the drop-down list.
Or
To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box
opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the
general operations configuration guide.
NoteWhen you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode
for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate
authority to issue client or server dynamic certificates.
Step 3To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and
configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS
clients.
a.Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...
check box.
b.Click the Certificates radio button and select a self-signed certificate from the drop-down list or
click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See
the “Configuring Identity Certificates Authentication” section on page 40-55 in the general
operations configuration guide.
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you
specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA
server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using
the Local CA” section on page 40-63 in the general operations configuration guide.
NoteTo make configuration changes after the local certificate authority has been configured for
the first time, disable the local certificate authority.
c.In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined
RSA key pair used by client dynamic certificates. To see the key pair details, including generation
time, usage, modulus size, and key data, click Show.
Or

Add page 464 to Favourites

image text

Enable zoom

18-12
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring
Identity Certificates Authentication” section on page 40-55 in the general operations configuration
guide for details about the Key Pair fields.
Step 4In the Security Algorithms area, specify the available and active algorithms to be announced or matched
during the TLS handshake.
Available Algorithms—Lists the available algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting
as a TLS client to the server), the user-defined algorithms replace the original ones from the hello
message for asymmetric encryption method between the two TLS legs. For example, the leg between
the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Step 5Click Next.
The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box
provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional
(see Add TLS Proxy Instance Wizard – Other Steps, page 18-12).
Add TLS Proxy Instance Wizard – Other Steps
NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.
The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to
make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the
TLS Proxy configuration:
Export the local CA certificate or LDC Issuer and install them on the original TLS server.
To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management >
Identity Certificates > Export. See the “Exporting an Identity Certificate” section on page 40-58 in
the general operations configuration guide.
For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See
SIP Inspection, page 12-20 and Skinny (SCCP) Inspection, page 12-32. When you are configuring
the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because
the feature supports only the SIP protocol.
For the TLS Proxy for CUMA, enable MMP inspection.
When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients,
perform the following:
–Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL
file on the ASA.

Add page 465 to Favourites

image text

Enable zoom

18-13
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in Cisco
Unified CallManager Security Guide.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/5_0_4/secuauth.html
To install the CTL file on the ASA, go to Configuration > Firewall > Unified Communications
> CTL Provider > Add. The Add CTL Provider dialog box opens. For information on using this
dialog box to install the CTL file, see Add/Edit CTL Provider, page 18-7.
–Create a CTL provider instance for connections from the CTL clients. See Add/Edit CTL
Provider, page 18-7.
Edit TLS Proxy Instance – Server Configuration
NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.
The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting
with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
Use the Edit TLS Proxy – Server Configuration tab to edit the server proxy parameters for the original
TLS Server—the Cisco Unified Call Manager (CUCM) server, the Cisco Unified Presence Server
(CUPS), or the Cisco Unified Mobility Advantage (CUMA) server.
Step 1Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2To edit a TLS Proxy Instance, click Edit.
The Edit TLS Proxy Instance dialog box opens.
Step 3If necessary, click the Server Configuration tab.
Step 4Specify the server proxy certificate by doing one of the following:
To add a new certificate, click Manage. The Manage Identify Certificates dialog box opens.
When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM
certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring CA
Certificate Authentication” section on page 40-13 in the general operations configuration guide.
To select an existing certificate, select one from the drop-down list.
When you are configuring the TLS Proxy for the Phone Proxy, select the certificate that has a
filename beginning with _internal_PP_. When you create the CTL file for the Phone Proxy, the
ASA, creates an internal trustpoint used by the Phone Proxy to sign the TFTP files. The trustpoint
is named _internal_PP_ctl-instance_filename.
The server proxy certificate is used to specify the trustpoint to present during the TLS handshake. The
trustpoint can be self-signed or enrolled locally with the certificate service on the proxy. For example,
for the Phone Proxy, the server proxy certificate is used by the Phone Proxy during the handshake with
the IP phones.
Step 5To install the TLS server certificate in the ASA trust store, so that the ASA can authenticate the TLS
server during TLS handshake between the proxy and the TLS server, click Install TLS Server’s
Certificate.

Add page 466 to Favourites

image text

Enable zoom

18-14
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section on
page 40-10 in the general operations configuration guide. Click Add to open the Install Certificate
dialog box. See the “Configuring CA Certificate Authentication” section on page 40-13 in the general
operations configuration guide.
When you are configuring the TLS Proxy for the Phone Proxy, click Install TLS Server’s Certificate
and install the Cisco Unified Call Manager (CUCM) certificate so that the proxy can authenticate the IP
phones on behalf of the CUCM server.
Step 6To require the ASA to present a certificate and authenticate the TLS client during TLS handshake, check
the Enable client authentication during TLS Proxy handshake check box.
When adding a TLS Proxy Instance for Mobile Advantage (the CUMC client and CUMA server), disable
the check box when the client is incapable of sending a client certificate.
Step 7Click Apply to save the changes.
Edit TLS Proxy Instance – Client Configuration
NoteThis feature is not supported for the Adaptive Security Appliance version 8.1.2.
The TLS Proxy enables inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting
with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
The fields in the Edit TLS Proxy dialog box are identical to the fields displayed when you add a TLS
Proxy instance. Use the Edit TLS Proxy – Client Configuration tab to edit the client proxy parameters
for the original TLS Client, such as IP phones, CUMA clients, the Cisco Unified Presence Server
(CUPS), or the Microsoft OCS server.
Step 1Open the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Step 2To edit a TLS Proxy Instance, click Edit.
The Edit TLS Proxy Instance dialog box opens.
Step 3If necessary, click the Client Configuration tab.
Step 4To specify a client proxy certificate to use for the TLS Proxy, perform the following. Select this option
when the client proxy certificate is being used between two servers; for example, when configuring the
TLS Proxy for Presence Federation, which uses the Cisco Unified Presence Server (CUPS), both the TLS
client and TLS server are both servers.
a.Check the Specify the proxy certificate for the TLS Client... check box.
b.Select a certificate from the drop-down list.
Or
To create a new client proxy certificate, click Manage. The Manage Identify Certificates dialog box
opens. See the “Configuring Identity Certificates Authentication” section on page 40-55 in the
general operations configuration guide.

Add page 467 to Favourites

image text

Enable zoom

18-15
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
NoteWhen you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode
for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate
authority to issue client or server dynamic certificates.
Step 5To specify an LDC Issuer to use for the TLS Proxy, perform the following. When you select and
configure the LDC Issuer option, the ASA acts as the certificate authority and issues certificates to TLS
clients.
a.Click the Specify the internal Certificate Authority to sign the local dynamic certificate for phones...
check box.
b.Click the Certificates radio button and select a self-signed certificate from the drop-down list or
click Manage to create a new LDC Issuer. The Manage Identify Certificates dialog box opens. See
the “Configuring Identity Certificates Authentication” section on page 40-55 in the general
operations configuration guide.
Or
Click the Certificate Authority radio button to specify a Certificate Authority (CA) server. When you
specify a CA server, it needs to be created and enabled in the ASA. To create and enable the CA
server, click Manage. The Edit CA Server Settings dialog box opens. See the “Authenticating Using
the Local CA” section on page 40-63 in the general operations configuration guide.
NoteTo make configuration changes after the local certificate authority has been configured for
the first time, disable the local certificate authority.
c.In the Key-Pair Name field, select a key pair from the drop-list. The list contains the already defined
RSA key pair used by client dynamic certificates. To see the key pair details, including generation
time, usage, modulus size, and key data, click Show.
Or
To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring
Identity Certificates Authentication” section on page 40-55 in the general operations configuration
guide for details about the Key Pair fields.
Step 6In the Security Algorithms area, specify the available and active algorithms to be announced or matched
during the TLS handshake.
Available Algorithms—Lists the available algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting
as a TLS client to the server), the user-defined algorithms replace the original ones from the hello
message for asymmetric encryption method between the two TLS legs. For example, the leg between
the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Step 7Click Apply to save the changes.

Add page 468 to Favourites

image text

Enable zoom

18-16
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
TLS Proxy
TLS Proxy
This feature is supported only for ASA versions 8.0.x prior to 8.0.4 and for version 8.1.
NoteThis feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version
8.1.2.
Use the TLS Proxy option to enable inspection of SSL encrypted VoIP signaling, namely Skinny and
SIP, interacting with Cisco CallManager.
The TLS Proxy pane lets you define and configure Transaction Layer Security Proxy to enable
inspection of encrypted traffic.
Fields
TLS Proxy Name—Lists the TLS Proxy name.
Server—Lists the trustpoint, which is either self-signed or enrolled with a certificate server.
Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server
dynamic certificates.
Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client or server dynamic
certificates.
Add—Adds a TLS Proxy.
Edit—Edits a TLS Proxy.
Delete—Deletes a TLS Proxy.
Maximum Sessions—Lets you specify the maximum number of TLS Proxy sessions to support.
–Specify the maximum number of TLS Proxy sessions that the ASA needs to support. By default,
ASA supports 300 sessions.—Enables maximum number of sessions option.
–Maximum number of sessions:—The minimum is 1. The maximum is dependent on the
platform. The default is 300.
Add/Edit TLS Proxy
NoteThis feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version
8.1.2.
The Add/Edit TLS Proxy dialog box lets you define the parameters for the TLS Proxy.
Fields
TLS Proxy Name—Specifies the TLS Proxy name.
Server Configuration—Specifies the proxy certificate name.
–Server—Specifies the trustpoint to be presented during the TLS handshake. The trustpoint could
be self-signed or enrolled locally with the certificate service on the proxy.
Client Configuration—Specifies the local dynamic certificate issuer and key pair.
–Local Dynamic Certificate Issuer—Lists the local certificate authority to issue client or server
dynamic certificates.

Add page 469 to Favourites

image text

Enable zoom

18-17
Cisco ASA Series Firewall ASDM Configuration Guide

Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
Feature History for the TLS Proxy for Encrypted Voice Inspection
Certificate Authority Server—Specifies the certificate authority server.
Certificate—Specifies a certificate.
Manage—Configures the local certificate authority. To make configuration changes after it has
been configured for the first time, disable the local certificate authority.
–Local Dynamic Certificate Key Pair—Lists the RSA key pair used by client dynamic
certificates.
Key-Pair Name—Specifies a defined key pair.
Show—Shows the key pair details, including generation time, usage, modulus size, and key
data.
New—Lets you define a new key pair.
More Options—Specifies the available and active algorithms to be announced or matched during the
TLS handshake.
–Available Algorithms—Lists the available algorithms to be announced or matched during the
TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
–Active Algorithms—Lists the active algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy
(acting as a TLS client to the server), the user-defined algorithms replace the original ones from
the hello message for asymmetric encryption method between the two TLS legs. For example,
the leg between the proxy and CallManager may be NULL cipher to offload the CallManager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Feature History for the TLS Proxy for Encrypted Voice Inspection
Table 18-2 lists the release history for this feature.
Table 18-2 Feature History for Cisco Phone Proxy
Feature Name Releases Feature Information
TLS Proxy 8.0(2) The TLS proxy feature was introduced.

Add page 470 to Favourites

image text

Enable zoom

							 
18-18
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 18      Configuring the TLS Proxy for Encrypted Voice Inspection
  Feature History for the TLS Proxy for Encrypted Voice Inspection

All Cisco manuals Comments (0)