Escolar Documentos
Profissional Documentos
Cultura Documentos
Documentation Overview Prerequisites Topology Step by Step Configuration 1. Create static 1-1 NAT or static PAT for the CUMA server by entering the following command. 2. Create access-list for inspection port and apply the acl on the outside interface 3. Generating CSR on the ASA. 4. Install the CUMA server's self-signed ID cert on to the ASA's trust store. 5. Exporting the ASA self-signed cert to be imported onto the CUMA server 6. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server 7. Enable the TLS proxy for MMP(Mobile Multiplexing Protocol) inspection Configure logging and debugs for troubleshooting Show commands Capturing packets
Documentation
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 1
Overview
The Cisco CUMA proxy allows Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage clients and servers. The ASA in this solution delivers inspection for the MMP (formerly called OLWP) protocol, the proprietary protocol between Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage.
Prerequisites
The following are required before the phone proxy feature will work correctly.
The ASA firewall must be running at least version 8.0(4) The ASA must have the appropriate license installed. Issue "sh ver" command and make sure 3DES is enabled. cuma-asa#show versionCisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 5.2(4).... VPN-3DES-AES : Enabled
Topology
cuma_server----(inside)ASA(outside)---Router----Internet Cloud
Cuma_server internal ip address---192.168.1.10 Cuma_server translated address - 100.100.100.10 asa inside interface ip - 192.168.1.1 ssl port - 5443
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 2
2. Create access-list for inspection port and apply the acl on the outside interface
cuma-asa(config)#access-list outside-acl permit tcp any host 100.100.100.10 eq 5443 cuma-asa(config)#access-group outside-acl in int outside
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 3
cuma-asa(config)# crypto key gen rsa label asa-veri mod 1024 INFO: The name for the keys will be: asa-veriKeypair generation process begin. Please wait..
b. Create a trustpoint with all the information to generate the CSR. The subject name here should be the exact same one that the mobile phones will be using to access CUMA. If the phones will go to https:// cuma1.cisco.com:5443 then use the CN=cuma1.cisco.com
cuma-asa(config)# crypto ca trustpoint asa-to-mobile cuma-asa(config-ca-trustpoint)# subject-name CN=cuma1.cisco.com,OU=Voice,O=Cisco cuma-asa(config-ca-trustpoint)# keypair asa-veri cuma-asa(config-ca-trustpoint)# fqdn none cuma-asa(config-ca-trustpoint)# enrollment terminal
cuma-asa(config-ca-trustpoint)# crypto enroll asa-to-mobile WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: y % Start certificate enrollment .. % The subject name in the certificate will be: CN=cuma1.cisco.com,OU=Voice,O=Cisco
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 4
d. The above CSR needs to be sent off to Verisign or Geotrust. Once you get the signed certificate, import the signed cert:
cuma-asa(config)# crypto ca import asa-to-mobile cert WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will beused for VPN authentication this may cause connection problems.
% The fully-qualified domain name in the certificate will be: cuma1.cisco.com Enter the base 64 encoded certificate.End with the word "quit" on a line by itself
e. Now authenticate the trustpoint with the certificate that issued you your ID cert.
It is critical that you have the entire certificate chain in the ASA's truststore so that the mobile device can properly validate the certificates during the SSL handshake.
cuma-asa(config)# crypto ca authenticate asa-to-mobileEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itself
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 5
f. If you authenticated the intermediate cert in the above step, then you must add your root certificate into the truststore into a separate trustpoint. Each trust point can have only one ID cert and one CA cert at maximum
cuma-asa(config)# crypto ca authenticate asa-to-mobile-root cuma-asa(config-ca-trustpoint)# enrollment terminal cuma-asa(config-ca-trustpoint)# crypto ca authenticate asa-to-mobile-rootEnter the base 64 encoded CA certificate. End with the word "quit" on a line by itself
4. Install the CUMA server's self-signed ID cert on to the ASA's trust store.
This will be used for the cummunication between the ASA and CUMA
1 Sign in to the Cisco Unified Mobility Advantage Admin portal.2 Select the [+] beside Security Context Management.3 Select b. Downloading Self-Signed Certificates from Cisco Unified Mobility AdvantageThe following needs to be done on the CUMA
1 Select the [+] beside Security Context Management 2 Select Security Contexts.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 6
3 Select Manage Context beside the security context that holds the certificate to download. 4 Select Download Certificate. If the certificate is a chain (has associated root or intermediate certificates), only the first certificate in the chain is downloaded. This is sufficient for self-signed certificates. Step 5 Save the file.
C. Adding a self-signed certificate from Cisco Unified Mobility Advantage onto the ASA.
1. Open the self-signed certificate from Cisco Unified Mobility Advantage in WordPad (not Notepad.)2. Import the certificate in
5. Exporting the ASA self-signed cert to be imported onto the CUMA server
We recommend that you configure Cisco Unified Mobility Advantage to require a certificate from the Cisco Adaptive Security A
6. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server
ASA to mobile phone communication is on the outside and the ASA to CUMA communication is on the inside.
In the communication between ASA to mobile clients - The ASA will act as the server In the communication between ASA to CUMA - The ASA will act as the client
cuma-asa(config)# tls-proxy cuma_proxycuma-asa(config-tlsp)#server trust-point asa-to-mobilecumaasa(config-tlsp)#client trust-point asa-self-signed-id-cert cuma-asa(config-tlsp)#no server authenticate-client
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 7
logs:
Show commands
sh cry ca certsh cry ca trustpointsh run tls-proxysh run policy-mapsh run static
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 8
Capturing packets
cuma-asa# capture capout interface outside (capturing raw packets)cuma-asa# capture capout-dec type tls-proxy interface outside (
Postings may contain unverified user-created content and change frequently. The content is provided as-is and is not warrantied by Cisco. 9