Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
20-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For another Cisco UP with the address 10.0.0.3, you must use a different set of PAT ports, such as 45062 or 45070: ciscoasa(config)# object network obj-10.0.0.3-01 ciscoasa(config-network-object)# host 10.0.0.3 ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5061 45061 ciscoasa(config)# object network obj-10.0.0.3-02 ciscoasa(config-network-object)# host 10.0.0.3 ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5062 45062 ciscoasa(config)# object network obj-10.0.0.3-03 ciscoasa(config-network-object)# host 10.0.0.3 ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service udp 5070 5070 ciscoasa(config)# object network obj-10.0.0.2-03 ciscoasa(config-network-object)# host 10.0.0.2 ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5070 45070 ciscoasa(config)# object network obj-10.0.0.3-04 ciscoasa(config-network-object)# host 10.0.0.3 ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 45060 Dynamic NAT or PAT can be used for the rest of the outbound connections or the TLS handshake. The ASA SIP inspection engine takes care of the necessary translation (fixup). ciscoasa(config)# object network obj-0.0.0.0-01 ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0 ciscoasa(config-network-object)# nat (inside,outside) dynamic 192.0.2.1 Figure 20-2 illustrates an abstracted scenario with Entity X connected to Entity Y through the presence federation proxy on the ASA. The proxy is in the same administrative domain as Entity X. Entity Y could have another ASA as the proxy but this is omitted for simplicity. Figure 20-2 Abstracted Presence Federation Proxy Scenario between Two Server Entities For the Entity X domain name to be resolved correctly when the ASA holds its credential, the ASA could be configured to perform NAT for Entity X, and the domain name is resolved as the Entity X public address for which the ASA provides proxy service. For further information about configuring Cisco Unified Presence Federation for SIP Federation, see the Integration Guide for Configuring Cisco Unified Presence for Interdomain Federation.: 271638 SIP/TLS InternetEntity XEntity Y Enterprise X Enterprise YASA TLS Proxy 192.0.2.1 192.0.2.2192.0.2.254 10.0.0.2 10.0.0.1OutsideInside Enterprise Y Firewall omitted
20-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Trust Relationship in the Presence Federation Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you can set it up on an internal CA. Establishing a trust relationship cross enterprises or across administrative domains is key for federation. Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with the FQDN of the Cisco UP (certificate impersonation). For the TLS handshake, the two entities could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. Both entities enroll with the CAs. The ASA as the TLS proxy must be trusted by both entities. The ASA is always associated with one of the enterprises. Within that enterprise (Enterprise X in Figure 20-1), the entity and the ASA could authenticate each other via a local CA, or by using self-signed certificates. To establish a trusted relationship between the ASA and the remote entity (Entity Y), the ASA can enroll with the CA on behalf of Entity X (Cisco UP). In the enrollment request, the Entity X identity (domain name) is used. Figure 20-3 shows the way to establish the trust relationship. The ASA enrolls with the third party CA by using the Cisco UP FQDN as if the ASA is the Cisco UP. Figure 20-3 How the Security Appliance Represents Cisco Unified Presence – Certificate Impersonate 271639 InternetAccess ProxyLCS/OCS Director Inspected and Modified (if needed) Certificate Authority Certificate Certificate with Private Key ASACisco UP Enroll with FQDN of Cisco UP Microsoft Presence Server Key 1 Key 2 TLS (Self-signed, or from local CA) TLS (Cisco UP Certificate) 3rd Party CA
20-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence Security Certificate Exchange Between Cisco UP and the Security Appliance You need to generate the keypair for the certificate (such as cup_proxy_key) used by the ASA, and configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as cup_proxy) in the TLS handshake. For the ASA to trust the Cisco UP certificate, you need to create a trustpoint to identify the certificate from the Cisco UP (such as cert_from_cup), and specify the enrollment type as terminal to indicate that you will paste the certificate received from the Cisco UP into the terminal. XMPP Federation Deployments Figure 20-4 provides an example of an XMPP federated network between Cisco Unified Presence enterprise deployment and an IBM Sametime enterprise deployment. TLS is optional for XMPP federation. ASA acts only as a firewall for XMPP federation; it does not provide TLS proxy functionality or PAT for XMPP federation. Figure 20-4 Basic XMPP Federated Network between Cisco Unified Presence and IBM Sametime There are two DNS servers within the internal Cisco Unified Presence enterprise deployment. One DNS server hosts the Cisco Unified Presence private address. The other DNS server hosts the Cisco Unified Presence public address and a DNS SRV records for SIP federation (_sipfederationtle), and XMPP federation (_xmpp-server) with Cisco Unified Presence. The DNS server that hosts the Cisco Unified Presence public address is located in the local DMZ. XMPP Client (Tom) 277887 InternetCUCM CUCM Enterprise X Enterprise Z DMZ DMZ private private network ASA functions as: • Firewall • Open Port 5269 Pass-through for XMPP Requests No Termination of connections *ASAXMPP CUP (US) CUP CUP CUP (UK) CUP CUP Inter-cluster communication *Cisco Adaptive Security Appliance Sametime (Bob)Sametime (Bill) IBM Sametime Gateway Directory IBM Sametime GatewayIBM Sametime Server XMPP Client (Ann)
20-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence For further information about configuring Cisco Unified Presence Federation for XMPP Federation, see the Integration Guide for Configuring Cisco Unified Presence Release 8.0 for Interdomain Federation: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Configuration Requirements for XMPP Federation For XMPP Federation, ASA acts as a firewall only. You must open port 5269 for both incoming and outgoing XMPP federated traffic on ASA. These are sample ACLs to open port 5269 on ASA. Allow traffic from any address to any address on port 5269: access-list ALLOW-ALL extended permit tcp any any eq 5269 Allow traffic from any address to any single node on port 5269: access-list ALLOW-ALL extended permit tcp any host eq 5269 If you do not configure the ACL above, and you publish additional XMPP federation nodes in DNS, you must configure access to each of these nodes, for example: object network obj_host_ #host object network obj_host_ #host object network obj_host_ #host .... Configure the following NAT commands: nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 If you publish a single public IP address in DNS, and use arbitrary ports, configure the following: (This example is for two additional XMPP federation nodes) nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_25269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_25269 nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_35269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_35269 If you publish multiple public IP addresses in DNS all using port 5269, configure the following: (This example is for two additional XMPP federation nodes)
20-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Licensing for Cisco Unified Presence nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 Licensing for Cisco Unified Presence The Cisco Unified Presence feature supported by the ASA require a Unified Communications Proxy license. The following table shows the Unified Communications Proxy license details by platform: NoteThis feature is not available on No Payload Encryption models. Model License Requirement 1 ASA 5505 Base License and Security Plus License: 2 sessions. Optional license: 24 sessions. ASA 5510 Base License and Security Plus License: 2 sessions. Optional licenses: 24, 50, or 100 sessions. ASA 5520 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5540 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5550 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions.
20-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation For more information about licensing, see Chapter 5, “Managing Feature Licenses for Cisco ASA Version 7.1,” in the general operations configuration guide. Configuring Cisco Unified Presence Proxy for SIP Federation This section contains the following topic: ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-20, -40, or -60Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 ASA SM Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 1. The following applications use TLS proxy sessions for their connections. Each TLS proxy session used by these applications (and only these applications) is counted against the UC license limit: - Phone Proxy - Presence Federation Proxy - Encrypted Voice Inspection Other applications that use TLS proxy sessions do not count towards the UC limit, for example, Mobility Advantage Proxy (which does not require a license) and IME (which requires a separate IME license). Some UC applications might use multiple sessions for a connection. For example, if you configure a phone with a primary and backup Cisco Unified Communications Manager, there are 2 TLS proxy connections, so 2 UC Proxy sessions are used. You independently set the TLS proxy limit using the Configuration > Firewall > Unified Communications > TLS Proxy pane. When you apply a UC license that is higher than the default TLS proxy limit, the security appliance automatically sets the TLS proxy limit to match the UC limit. The TLS proxy limit takes precedence over the UC license limit; if you set the TLS proxy limit to be less than the UC license, then you cannot use all of the sessions in your UC license. Note: For license part numbers ending in “K8” (for example, licenses under 250 users), TLS proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example, licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the model limit. K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9 is restricted. Note: If you clear the configuration, then the TLS proxy limit is set to the default for your model; if this default is lower than the UC license limit, then you see an error message to use the to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover and use File > Save Running Configuration to Standby Unit on the primary unit to force a configuration synchronization, the clear configure all command is generated on the secondary unit automatically, so you may see the warning message on the secondary unit. Because the configuration synchronization restores the TLS proxy limit set on the primary unit, you can ignore the warning. You might also use SRTP encryption sessions for your connections: - For K8 licenses, SRTP sessions are limited to 250. - For K9 licenses, there is not limit. Note: Only calls that require encryption/decryption for media are counted towards the SRTP limit; if passthrough is set for the call, even if both legs are SRTP, they do not count towards the limit. 2. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000. Model License Requirement1
20-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Feature History for Cisco Unified Presence Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation, page 20-9 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where there is a single Cisco UP that is in the local domain and self-signed certificates are used between the Cisco UP and the ASA (like the scenario shown in Figure 20-1), perform the following tasks. To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communications Wizard from the menu. The Unified Communications Wizard opens. From the first page, select the Cisco Unified Presence Proxy option under the Business-to-Business section. The wizard automatically creates the necessary TLS proxy, then guides you through creating the Unified Presence Proxy instance, importing and installing the required certificates, and finally enables the SIP and SCCP inspection for the Presence Federation traffic automatically. The wizard guides you through four steps to create the Presence Federation Proxy: Step 1Select the Presence Federation Proxy option. Step 2Specify setting to define the proxy topology, such the IP address of the Presence Federation server. Step 3Configure the local-side certificate management, namely the certificates that are exchanged between the local Unified Presence Federation server and the ASA. Step 4Configure the remote-side certificate management, namely the certificates that are exchanged between the remote server and the ASA The wizard completes by displaying a summary of the configuration created for Presence Federation. See the Unified Communications Wizard section in this documentation for more information. Feature History for Cisco Unified Presence Table 20-1 lists the release history for this feature. Table 20-1 Feature History for Cisco Unified Presence Feature Name Releases Feature Information Cisco Presence Federation Proxy 8.0(4) The Cisco Unified Presence proxy feature was introduced. Cisco Presence Federation Proxy 8.3(1) The Unified Communications Wizard was added to ASDM. By using the wizard, you can configure the Cisco Presence Federation Proxy. Support for XMPP Federation was introduced.
20-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 20 Configuring Cisco Unified Presence Feature History for Cisco Unified Presence
CH A P T E R 21-1 Cisco ASA Series Firewall ASDM Configuration Guide 21 Configuring Cisco Intercompany Media Engine Proxy This chapter describes how to configure the ASA for Cisco Intercompany Media Engine Proxy. This chapter includes the following sections: Information About Cisco Intercompany Media Engine Proxy, page 21-1 Licensing for Cisco Intercompany Media Engine, page 21-8 Guidelines and Limitations, page 21-9 Configuring Cisco Intercompany Media Engine Proxy, page 21-11 Feature History for Cisco Intercompany Media Engine Proxy, page 21-37 Information About Cisco Intercompany Media Engine Proxy This section includes the following topics: Features of Cisco Intercompany Media Engine Proxy, page 21-1 How the UC-IME Works with the PSTN and the Internet, page 21-2 Tickets and Passwords, page 21-3 Call Fallback to the PSTN, page 21-5 Architecture and Deployment Scenarios for Cisco Intercompany Media Engine, page 21-5 Features of Cisco Intercompany Media Engine Proxy Cisco Intercompany Media Engine enables companies to interconnect on-demand, over the Internet with advanced features made available by VoIP technologies. Cisco Intercompany Media Engine allows for business-to-business federation between Cisco Unified Communications Manager clusters in different enterprises by utilizing peer-to-peer, security, and SIP protocols to create dynamic SIP trunks between businesses. A collection of enterprises work together to end up looking like one large business with inter-cluster trunks between them. The adaptive security appliance applies its existing TLS proxy, SIP Application Layer Gateway (ALG), and SIP verification features to the functioning of Cisco Intercompany Media Engine. Cisco Intercompany Media Engine has the following key features:
21-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Works with existing phone numbers: Cisco Intercompany Media Engine works with the phone numbers an enterprise currently has and does not require an enterprise to learn new numbers or change providers to use Cisco Intercompany Media Engine. Works with existing IP phones: Cisco Intercompany Media Engine works with the existing IP phones within an enterprise. However, the feature set in business-to-business calls is limited to the capabilities of the IP phones. Does not require purchasing new services: Cisco Intercompany Media Engine does not require any new services from any service providers. Customers continue to use the PSTN connectivity they have and the Internet connectivity they have today. Cisco Intercompany Media Engine gradually moves calls off the PSTN and onto the Internet. Provides a full Cisco Unified Communications experience: Because Cisco Intercompany Media Engine creates inter-cluster SIP trunks between enterprises, any Unified Communication features that work over the SIP trunk and only require a SIP trunk work with the Cisco Intercompany Media Engine, thus providing a Unified Communication experience across enterprises. Works on the Internet: Cisco Intercompany Media Engine was designed to work on the Internet. It can also work on managed extranets. Provides worldwide reach: Cisco Intercompany Media Engine can connect to any enterprise anywhere in the world, as long as the enterprise is running Cisco Intercompany Media Engine technology. There are no regional limitations. This is because Cisco Intercompany Media Engine utilizes two networks that both have worldwide reach—the Internet and the PSTN. Allows for unlimited scale: Cisco Intercompany Media Engine can work with any number of enterprises. Is self-learning: The system is primarily self-learning. Customers do not have to enter information about other businesses: no phone prefixes, no IP address, no ports, no domain names, nor certificates. Customers need to configure information about their own networks, and provide policy information if they want to limit the scope of Cisco Intercompany Media Engine. Is secure: Cisco Intercompany Media Engine is secure, utilizing a large number of different technologies to accomplish this security. Includes anti-spam: Cisco Intercompany Media Engine prevents people from setting up software on the Internet that spams enterprises with phone calls. It provides an extremely high barrier to entry. Provides for QoS management: Cisco Intercompany Media Engine provides features that help customers manage the QoS on the Internet, such as the ability to monitor QoS of the RTP traffic in real-time and fallback to PSTN automatically if problems arise. How the UC-IME Works with the PSTN and the Internet The Cisco Intercompany Media Engine utilizes two networks that both have worldwide reach—the Internet and the PSTN. Customers continue to use the PSTN connectivity they have. The Cisco Intercompany Media Engine gradually moves calls off the PSTN and onto the Internet. However, if QoS problems arise, the Cisco Intercompany Media Engine Proxy monitors QoS of the RTP traffic in real-time and fallbacks to PSTN automatically. The Cisco Intercompany Media Engine uses information from PSTN calls to validate that the terminating side owns the number that the originated side had called. After the PSTN call terminates, the enterprises involved in the call send information about the call to their Cisco IME server. The Cisco IME server on the originating side validates the call. Figure 21-1 shows the initial call flow through the PSTN.