ASA-CUMA Proxy step-by-step Configuration

Documentation Overview Prerequisites Topology Step by Step Configuration 1. Create static 1-1 NAT or static PAT for the CUMA server by entering the following command. 2. Create access-list for inspection port and apply the acl on the outside interface 3. Generating CSR on the ASA. 4. Install the CUMA server's self-signed ID cert on to the ASA's trust store. 5. Exporting the ASA self-signed cert to be imported onto the CUMA server 6. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server 7. Enable the TLS proxy for MMP(Mobile Multiplexing Protocol) inspection Configure logging and debugs for troubleshooting Show commands Capturing packets

Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

8.0.x http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ unified_comm.html#wp1096839

8.2.x http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ unified_comm_cuma.html

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 1

ASA-CUMA Proxy step-by-step Configuration

Overview
The Cisco CUMA proxy allows Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage clients and servers. The ASA in this solution delivers inspection for the MMP (formerly called OLWP) protocol, the proprietary protocol between Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage.

Prerequisites
The following are required before the phone proxy feature will work correctly.

The ASA firewall must be running at least version 8.0(4) The ASA must have the appropriate license installed. Issue "sh ver" command and make sure 3DES is enabled. cuma-asa#show versionCisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 5.2(4).... VPN-3DES-AES : Enabled

Topology
cuma_server----(inside)ASA(outside)---Router----Internet Cloud

Cuma_server internal ip address---192.168.1.10 Cuma_server translated address - 100.100.100.10 asa inside interface ip - 192.168.1.1 ssl port - 5443

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 2

ASA-CUMA Proxy step-by-step Configuration

Step by Step Configuration

1. Create static 1-1 NAT or static PAT for the CUMA server by entering the following command.
1-1 NAT cuma-asa(config)#static (inside,outside) 100.100.100.10 192.168.1.10 (or) Static PAT cuma-asa(config)#static (inside,outside) tcp 100.100.100.10 5443 192.168.1.10 5443

2. Create access-list for inspection port and apply the acl on the outside interface
cuma-asa(config)#access-list outside-acl permit tcp any host 100.100.100.10 eq 5443 cuma-asa(config)#access-group outside-acl in int outside

3. Generating CSR on the ASA.

This step is needed to install Verisign or Geotrust certificate on the ASA

a. Generate a key-pair - This following procedure needs to be done on the ASA

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 3

ASA-CUMA Proxy step-by-step Configuration

cuma-asa(config)# crypto key gen rsa label asa-veri mod 1024 INFO: The name for the keys will be: asa-veriKeypair generation process begin. Please wait..

b. Create a trustpoint with all the information to generate the CSR. The subject name here should be the exact same one that the mobile phones will be using to access CUMA. If the phones will go to https:// cuma1.cisco.com:5443 then use the CN=cuma1.cisco.com

cuma-asa(config)# crypto ca trustpoint asa-to-mobile cuma-asa(config-ca-trustpoint)# subject-name CN=cuma1.cisco.com,OU=Voice,O=Cisco cuma-asa(config-ca-trustpoint)# keypair asa-veri cuma-asa(config-ca-trustpoint)# fqdn none cuma-asa(config-ca-trustpoint)# enrollment terminal

c. Enroll the trustpoint

cuma-asa(config-ca-trustpoint)# crypto enroll asa-to-mobile WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: y % Start certificate enrollment .. % The subject name in the certificate will be: CN=cuma1.cisco.com,OU=Voice,O=Cisco

% The fully-qualified domain name will not be included in the certificate

% Include the device serial number in the subject name? [yes/no]: n

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 4

ASA-CUMA Proxy step-by-step Configuration

Display Certificate Request to terminal? [yes/no]: y

Certificate Request follows:-----BEGIN CERTIFICATE REQUEST-----Certificate data omitted-----END CERTIFICATE REQUEST-----

d. The above CSR needs to be sent off to Verisign or Geotrust. Once you get the signed certificate, import the signed cert:

Remember - IMPORT the ID CERT - AUTHENTICATE the CA CERT

cuma-asa(config)# crypto ca import asa-to-mobile cert WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will beused for VPN authentication this may cause connection problems.

Would you like to continue with this enrollment? [yes/no]: y

% The fully-qualified domain name in the certificate will be: cuma1.cisco.com Enter the base 64 encoded certificate.End with the word "quit" on a line by itself

e. Now authenticate the trustpoint with the certificate that issued you your ID cert.

It is critical that you have the entire certificate chain in the ASA's truststore so that the mobile device can properly validate the certificates during the SSL handshake.

cuma-asa(config)# crypto ca authenticate asa-to-mobileEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itself

** Paste the contents of the cert **

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 5

ASA-CUMA Proxy step-by-step Configuration

f. If you authenticated the intermediate cert in the above step, then you must add your root certificate into the truststore into a separate trustpoint. Each trust point can have only one ID cert and one CA cert at maximum

cuma-asa(config)# crypto ca authenticate asa-to-mobile-root cuma-asa(config-ca-trustpoint)# enrollment terminal cuma-asa(config-ca-trustpoint)# crypto ca authenticate asa-to-mobile-rootEnter the base 64 encoded CA certificate. End with the word "quit" on a line by itself

** Paste the contents of the root cert. **

4. Install the CUMA server's self-signed ID cert on to the ASA's trust store.
This will be used for the cummunication between the ASA and CUMA

a. Creat a self-signed cert on the CUMA server

The following needs to be done on the CUMA server

1 Sign in to the Cisco Unified Mobility Advantage Admin portal.2 Select the [+] beside Security Context Management.3 Select b. Downloading Self-Signed Certificates from Cisco Unified Mobility AdvantageThe following needs to be done on the CUMA

1 Select the [+] beside Security Context Management 2 Select Security Contexts.

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 6

ASA-CUMA Proxy step-by-step Configuration

3 Select Manage Context beside the security context that holds the certificate to download. 4 Select Download Certificate. If the certificate is a chain (has associated root or intermediate certificates), only the first certificate in the chain is downloaded. This is sufficient for self-signed certificates. Step 5 Save the file.

C. Adding a self-signed certificate from Cisco Unified Mobility Advantage onto the ASA.

The following needs to be done on the ASA

1. Open the self-signed certificate from Cisco Unified Mobility Advantage in WordPad (not Notepad.)2. Import the certificate in

5. Exporting the ASA self-signed cert to be imported onto the CUMA server

We recommend that you configure Cisco Unified Mobility Advantage to require a certificate from the Cisco Adaptive Security A

6. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server
ASA to mobile phone communication is on the outside and the ASA to CUMA communication is on the inside.

In the communication between ASA to mobile clients - The ASA will act as the server In the communication between ASA to CUMA - The ASA will act as the client

cuma-asa(config)# tls-proxy cuma_proxycuma-asa(config-tlsp)#server trust-point asa-to-mobilecumaasa(config-tlsp)#client trust-point asa-self-signed-id-cert cuma-asa(config-tlsp)#no server authenticate-client

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 7

ASA-CUMA Proxy step-by-step Configuration

cuma-asa(config-tlsp)#client cipher-suite aes128-sha1 aes256-sha1

7. Enable the TLS proxy for MMP(Mobile Multiplexing Protocol) inspection

cuma-asa(config)# class-map cuma-proxy cuma-asa(config-cmap)# match port tcp eq 5443 cuma-asa(config)# policy-map global_policycuma-asa(config-pmap)# class cuma-proxycuma-asa(configpmap-c)# inspect mmp tls-proxy cuma-proxycuma-asa(config-pmap-c)# exitcuma-asa(config)# service-policy global_policy global

Configure logging and debugs for troubleshooting

The following commands will send debugs and logs to the syslog server.

debugs: cuma-asa(config)#debug inspect tls-proxy all cuma-asa(config)#debug mmp

logs:

cuma-asa(config)#logging enablecuma-asa(config)#logging timestampcuma-asa(config)#logging list loglist message 711001c

Show commands
sh cry ca certsh cry ca trustpointsh run tls-proxysh run policy-mapsh run static

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 8

ASA-CUMA Proxy step-by-step Configuration

Capturing packets

cuma-asa# capture capout interface outside (capturing raw packets)cuma-asa# capture capout-dec type tls-proxy interface outside (

Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 9