Installation and Administration Guide for Cisco Unified Mobility Advantage, Release 7.0
Configuring the Cisco Adaptive Security Appliance (ASA) for Use With Cisco Unified Mobility Advantage
Downloads: This chapterpdf (PDF - 338.0KB) The complete bookPDF (PDF - 4.1MB) | Feedback

Configuring the Cisco Adaptive Security Appliance (ASA) for Use With Cisco Unified Mobility Advantage

Table Of Contents

Configuring the Cisco Adaptive Security Appliance (ASA) for Use With Cisco Unified Mobility Advantage

Cisco Adaptive Security Appliance Documentation

About Cisco Adaptive Security Appliance Deployment Options

Cisco Adaptive Security Appliance Installed as a Firewall

Cisco Adaptive Security Appliance Installed as a Proxy Server Only

Using the Cisco Adaptive Security Appliance Command-Line Interface

Configuring the Inside and Outside Interfaces Using the Command-Line Interface

Specifying NAT Rules

Setting Static Routes

Allowing Traffic Through to the Cisco Unified Mobility Advantage Server

How To Deploy Required And Recommended Certificates for the Cisco Adaptive Security Appliance

How to Obtain and Install a Cisco Adaptive Security Appliance-to-Client Certificate

(For Upgrades from Release 3.x) Importing the Cisco Adaptive Security Appliance-to-Client Certificate

(For New Installations) How to Obtain and Import the Cisco Adaptive Security Appliance-to-Client Certificate

Importing a Self-Signed Certificate from Cisco Unified Mobility Advantage

Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance

Setting up the TLS Proxy

Defining MMP Inspection

Testing Your Cisco Adaptive Security Appliance Configuration

Troubleshooting the Cisco Adaptive Security Appliance

Useful Commands

Fixing Unsuccessful Pings

SSL Handshake Failures

Debugging TLS-Proxy and MMP Configurations


Configuring the Cisco Adaptive Security Appliance (ASA) for Use With Cisco Unified Mobility Advantage


Revised Date: October 27, 2009

A Cisco Adaptive Security Appliance (ASA) is required for new installations and for upgrades, to provide secure connections to the Cisco Unified Mobility Advantage server.


Note For upgrades from Release 3.x, the Cisco Adaptive Security Appliance replaces the Proxy Server in Cisco Unified Mobility Advantage Release 3.x.


This chapter provides instructions for a basic configuration.

Cisco Adaptive Security Appliance Documentation

About Cisco Adaptive Security Appliance Deployment Options

Using the Cisco Adaptive Security Appliance Command-Line Interface

Configuring the Inside and Outside Interfaces Using the Command-Line Interface

Specifying NAT Rules

Setting Static Routes

Allowing Traffic Through to the Cisco Unified Mobility Advantage Server

How To Deploy Required And Recommended Certificates for the Cisco Adaptive Security Appliance

Setting up the TLS Proxy

Defining MMP Inspection

Testing Your Cisco Adaptive Security Appliance Configuration

Troubleshooting the Cisco Adaptive Security Appliance

Cisco Adaptive Security Appliance Documentation

For complete information on configuring Cisco Adaptive Security Appliance, see the Cisco Adaptive Security Appliance documentation, including:

The Cisco ASA 5580 Adaptive Security Appliance Command Line Configuration Guide, Version 8.0.

This book has a chapter on Configuring Cisco Unified Communications Proxy Features as well as useful information about configuring certificates and trustpoints.

Cisco Unified Mobility Advantage may be referred to as "Cisco UMA."

Cisco Unified Mobile Communicator may be referred to as "Cisco UMC."

The Cisco Security Appliance Command Reference for version 8.0(4).

Find Cisco Adaptive Security Appliance documentation at http://cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html.

About Cisco Adaptive Security Appliance Deployment Options

In this deployment, the Cisco Adaptive Security Appliance has two interfaces, one internal-facing and one external-facing. These two interfaces must be connected to two different subnets (or VLANs) within the DMZ.

Cisco Unified Mobile Communicator clients send requests to a world-routable IP address for the Cisco Unified Mobility Advantage server in subnet 1 of the DMZ. The DMZ gateway sends this request to the Cisco Adaptive Security Appliance. The Cisco Adaptive Security Appliance translates the IP address to the private IP address of the Cisco Unified Mobility Advantage server in the intranet.

The Cisco Adaptive Security Appliance also translates all client source IP addresses coming from outside the network to a shared client IP address in subnet 2 of the DMZ, in order to route communications between the client and Cisco Unified Mobility Advantage.

The Cisco Adaptive Security Appliance can be installed on your network in one of two ways:

Cisco Adaptive Security Appliance Installed as a Firewall

Cisco Adaptive Security Appliance Installed as a Proxy Server Only

Cisco Adaptive Security Appliance Installed as a Firewall

Figure 2-1 shows Cisco Adaptive Security Appliance as a firewall.

Figure 2-1 Cisco Adaptive Security Appliance Installed as a Firewall

Diagram: Cisco Adaptive Security Appliance Installed in the DMZ as Proxy Only

Cisco Adaptive Security Appliance Installed as a Proxy Server Only

You can install the Cisco Adaptive Security Appliance in the DMZ to act solely as a proxy server. Configurations in this chapter are based on this option.

Figure 2-2 shows an example of this process.

Figure 2-2 Cisco Adaptive Security Appliance Installed in the DMZ as Proxy Only

Diagram: Cisco Adaptive Security Appliance Installed in the DMZ as Proxy Only

Using the Cisco Adaptive Security Appliance Command-Line Interface

Configurations in this chapter use the Cisco Adaptive Security Appliance command line interface.

Procedure


Step 1 Open an SSH or HyperTerminal session.

Step 2 Enter the following commands to access all configuration commands:

enable

(no password)

configure terminal


Configuring the Inside and Outside Interfaces Using the Command-Line Interface

Before You Begin

Obtain necessary IP addresses. See Obtaining IP Addresses and DNS Names from IT, page 1-3.

Procedure


Step 1 Access the Cisco Adaptive Security Appliance command-line interface.

Step 2 Enter show run to see the list of interfaces for your Cisco Adaptive Security Appliance model.

For example, Cisco Adaptive Security Appliance 5505 calls the interfaces Vlan1 and Vlan2. For Cisco Adaptive Security Appliance 5520 and 5550, the interface name format is GigabitEthernetX/Y.

Step 3 Assign the IP address to the inside interface:

interface <inside interface name for your Cisco Adaptive Security Appliance model>

nameif inside

security-level 100

ip address <IP address of inside interface; in this example 10.1.1.2> <subnet mask>

Step 4 Assign the IP address to the outside interface:

interface <outside interface name for your Cisco Adaptive Security Appliance model>

nameif outside

security-level 0

ip address <IP address of outside interface; in this example 192.0.2.41> <subnet mask>


Specifying NAT Rules

This section is required only if your Cisco Adaptive Security Appliance is configured solely as a proxy server. Skip this section if your Cisco Adaptive Security Appliance is configured as a firewall.

This solution helps secure your internal servers by shielding their real IP addresses and open port numbers from direct external access by allowing external access only to proxy IP addresses and port numbers. Network Address Translation (NAT) and Port Address Translation (PAT) rules translate these public addresses and ports to private addresses and ports.

Configure the following rules for this solution:

Translate the public IP address and ports of your Cisco Unified Mobility Advantage server to the private IP address and ports.

Create a dynamic NAT rule to translate the source IP address of any Cisco Unified Mobile Communicator client to a single IP address that is allowed through the internal firewall. Cisco Unified Mobility Advantage sends responses back to the same IP address.

For example:

The client connects to the world-routable IP address of the Cisco Unified Mobility Advantage server: 192.0.2.41.

A NAT rule translates this address to the private IP address of the Cisco Unified Mobility Advantage server: 172.16.27.41.

Another NAT rule translates communications from all clients to a single IP address that the Cisco Adaptive Security Appliance will use for sending all client communications to the Cisco Unified Mobility Advantage server: 10.1.1.2.

For more information about NAT and PAT, see the configuration documentation for your Cisco Adaptive Security Appliance.

Before You Begin

Make sure that the necessary ports in the firewalls are open. See Opening Firewall Ports, page 1-5.

Procedure


Step 1 Access the Cisco Adaptive Security Appliance command-line interface.

Step 2 Translate all client IP addresses to a single source IP address for routing through the firewall to Cisco Unified Mobility Advantage:

global (<inside interface name>) <nat_id> <shared ip address to which all client ip addresses will be translated> netmask <subnet mask>

nat (<outside interface name>) 1 0 0 outside

Note that because the IP address that all clients share is the same as the inside interface, you can use interface instead of specifying the IP address.

Example:

global (inside) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0 outside

Step 3 Translate the world-routable IP address of the Cisco Unified Mobility Advantage server to the private IP address of the Cisco Unified Mobility Advantage server:

static (<inside interface name,outside interface name>) tcp <world routable ip address of Cisco Unified Mobility Advantage server> <proxy client connection port> <private IP address of Cisco Unified Mobility Advantage server> <client connection port> netmask <subnet mask>

static (<inside interface name,outside interface name>) tcp <world routable ip address of Cisco Unified Mobility Advantage server> <proxy client download port> <private IP address of Cisco Unified Mobility Advantage server> <client download port> netmask <subnet mask>

Note that because the world-routable IP address of the Cisco Unified Mobility Advantage server is the same as the outside interface, you can use interface instead of specifying the IP address.

Example:

static (inside,outside) tcp interface 5442 172.16.27.41 5443 netmask 255.255.255.255

static (inside,outside) tcp interface 9079 172.16.27.41 9080 netmask 255.255.255.255


Setting Static Routes

If your network architecture has the Cisco Adaptive Security Appliance installed as a proxy in the DMZ, you must specify static routes to the default gateways for the inside and outside interfaces.


Note If your Cisco Adaptive Security Appliance is installed as a firewall, you do not need to set a static route.


You may need to set two static routes, one to the default gateway of the subnet to which Cisco Adaptive Security Appliance is connected through its outside interface, and one to the default gateway to which Cisco Adaptive Security Appliance is connected through its inside interface. This is especially true if the private IP address of Cisco Unified Mobility Advantage is in a different network (for example, the internal corporate network) from the Cisco Adaptive Security Appliance server (for example, a DMZ network).

Procedure


Step 1 Access the Cisco Adaptive Security Appliance command-line interface.

Step 2 Specify a static route to the default gateway for each interface:

route <outside interface name> 0.0.0.0 0.0.0.0 <ip address of the default gateway of the outside subnet> 1

route <inside interface name> <private ip address of the Cisco Unified Mobility Advantage server> <netmask> <ip address of the default gateway of the inside subnet> 1

Example:

route outside 0 0 10.10.10.1 1

route inside 192.168.1.0 255.255.255.0 10.1.1.1 1


Allowing Traffic Through to the Cisco Unified Mobility Advantage Server

Create access lists to allow traffic through to the Cisco Unified Mobility Advantage server.

Procedure


Step 1 Access the Cisco Adaptive Security Appliance command-line interface.

Step 2 Allow traffic through:

access-list <id> extended permit tcp any host <world routable ip address of Cisco Unified Mobility Advantage server> eq <proxy client connection port>

access-list <id> extended permit tcp any host <world routable ip address of Cisco Unified Mobility Advantage server> eq <proxy client download port>

access-group <id> in interface <name of outside interface>

Example:

access-list permit_cuma extended permit tcp any host <cuma proxy ip> eq 5443

access-list permit_cuma extended permit tcp any host <cuma proxy ip> eq 9080

access-group permit_cuma in interface outside


How To Deploy Required And Recommended Certificates for the Cisco Adaptive Security Appliance

Perform all of these procedures to deploy the required and recommended certificates on and from the Cisco Adaptive Security Appliance. You must perform additional procedures in Cisco Unified Mobility Advantage in conjunction with each of these procedures on the Cisco Adaptive Security Appliance.

How to Obtain and Install a Cisco Adaptive Security Appliance-to-Client Certificate

Importing a Self-Signed Certificate from Cisco Unified Mobility Advantage

Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance

How to Obtain and Install a Cisco Adaptive Security Appliance-to-Client Certificate

When Cisco Unified Mobile Communicator connects to the Cisco Adaptive Security Appliance, it requires the Cisco Adaptive Security Appliance to present a certificate signed by a recognized Certificate Authority (supported authorities are Verisign and GeoTrust).

(For Upgrades from Release 3.x) Importing the Cisco Adaptive Security Appliance-to-Client Certificate

(For New Installations) How to Obtain and Import the Cisco Adaptive Security Appliance-to-Client Certificate

(For Upgrades from Release 3.x) Importing the Cisco Adaptive Security Appliance-to-Client Certificate

Use this procedure if you are upgrading and are reusing the signed certificate from the Proxy Server you used with Release 3.1.2.

Restrictions

You can reuse the Proxy Server certificate only if you meet the restrictions detailed in Saving the SSL Certificate from the Proxy Server, page 5-8.

Otherwise, follow the procedure in (For New Installations) How to Obtain and Import the Cisco Adaptive Security Appliance-to-Client Certificate.

Before You Begin

You must upgrade Cisco Unified Mobility Advantage before you can import this certificate. Make sure that you have completed the following pre- and post-upgrade procedures:

Saving the SSL Certificate from the Proxy Server, page 5-8

Uploading the Proxy Server Certificate to Release 7.x, page 5-13

Downloading the Proxy Server Certificate and Preparing It for Use on the Cisco Adaptive Security Appliance, page 5-14

Procedure


Step 1 Import the signed certificate to the Cisco Adaptive Security Appliance in PKCS12 format using the import commands:

crypto ca import <trustpoint-cuma-signed> pkcs12 <passphrase>

[paste the contents of the ssl64.p12 file here]

Include the following lines. Make sure that there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 2 Import the intermediate certificate:

crypto ca trustpoint <trustpoint-cuma-signed>

enrollment terminal

crypto ca authenticate <trustpoint-cuma-signed>

[paste the contents of the intermediate certificate here]

The intermediate certificate is the second certificate in your_pemcert.pem, the PEM file that you created from the file you downloaded from the Cisco Unified Mobility Advantage during the prerequisites for this procedure.

Include the following lines. Make sure that there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 3 Import the root certificate:

crypto ca trustpoint <trustpoint-cuma-root>

enrollment terminal

crypto ca authenticate <trustpoint-cuma-root>

[paste the contents of the root certificate here]

The root certificate is the third and last certificate in the PEM file your_pemcert.pem.

Include the following lines. Make sure that there are no extra spaces at the end.

-BEGIN CERTIFICATE----

--END CERTIFICATE----


(For New Installations) How to Obtain and Import the Cisco Adaptive Security Appliance-to-Client Certificate

This procedure is required unless you are upgrading from Release 3.1.2 and reusing your signed certificate from your Proxy Server.

This procedure has several subprocedures:

Generate a Certificate Signing Request

Submit the Certificate Signing Request to the Certificate Authority

Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Generate a Certificate Signing Request

Before You Begin

Obtain the IP address and fully qualified domain name for the Proxy Host Name as specified in Obtaining IP Addresses and DNS Names from IT, page 1-3.

Determine required values for your company or organization name, organizational unit, country, and state or province. See the table in Creating Security Contexts, page 9-7. You must enter identical values in the Cisco Adaptive Security Appliance and in the relevant security context in Cisco Unified Mobility Advantage.

Procedure


Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair for this certificate:

crypto key generate rsa label <keypair-cuma-signed> modulus 1024

You will see a "Please wait..." message; look carefully for the prompt to reappear.

Step 3 Create a trustpoint with the necessary information to generate the certificate request:

crypto ca trustpoint <trustpoint-cuma-signed>

subject-name CN=<Proxy Host Name of the Cisco Unified Mobility Advantage server. Use the Fully Qualified Domain Name.>,OU=<organization unit name>,O=<company or organization name as publicly registered>,C=<2 letter country code>,St=<state>,L=<city>

(For requirements for the Company, organization unit, Country, and State values, see the values you determined in the prerequisite for this procedure.)

keypair <keypair-cuma-signed>

fqdn <Proxy Host Name of the Cisco Unified Mobility Advantage server. This value must exactly match the value you entered for CN above.>

enrollment terminal

Step 4 Get the certificate signing request to send to the Certificate Authority:

crypto ca enroll <trustpoint-cuma-signed>

% Start certificate enrollment.

% The subject name in the certificate will be:CN=<Proxy Host Name of the Cisco Unified Mobility Advantage server>,OU=<organization unit name>,O=<organization name>,C=<2 letter country code>,St=<state>,L=<city>

% The fully-qualified domain name in the certificate will be: <Proxy Host Name of the Cisco Unified Mobility Advantage server>

% Include the device serial number in the subject name? [yes/no]: no

% Display Certificate Request to terminal? [yes/no]: yes

Step 5 Copy the entire text of the displayed Certificate Signing Request and paste it into a text file.

Include the following lines. Make sure that there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the text file.


What To Do Next

Submit the Certificate Signing Request to the Certificate Authority

Submit the Certificate Signing Request to the Certificate Authority

You can obtain signed certificates for Cisco Unified Mobility Advantage from the following Certificate Authorities: VeriSign and GeoTrust. These certificates are supported because they are generally available on all mobile devices.

Before You Begin

Generate a Certificate Signing Request

Visit the web site of your chosen Certificate Authority to learn about the requirements and procedures for obtaining and deploying a signed 128-bit SSL certificate. If you are unsure which certificate to purchase, contact the Certificate Authority. Information about available certificates is subject to change.

Also, check the requirements for extending the certificate so that you maintain the necessary records.

Procedure


Step 1 Visit the Certificate Authority web site and follow their instructions.

You will need the CSR you generated above.

This process may take up to 24 hours.

Step 2 Wait for the signed certificate to arrive by email.

Step 3 Comply with any instructions that arrive with the certificate.

For example, you may need to copy an intermediate certificate from the certificate authority web site.


What To Do Next

Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Upload the Signed Certificate to the Cisco Adaptive Security Appliance

Before You Begin

You will need the signed certificate that you requested in Submit the Certificate Signing Request to the Certificate Authority.

Follow any deployment instructions from the Certificate Authority. For example, obtain any required intermediate certificate from the Certificate Authority web site.


Tip If you use a VeriSign certificate, information on obtaining root and intermediate certificates is here: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO4785


Procedure


Step 1 Authenticate the trustpoint by importing the intermediate certificate:

crypto ca authenticate <trustpoint-cuma-signed>

Paste the contents of the intermediate certificate from the CA authority.

Include the following lines. Make sure that there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

End with the word "quit" on a line by itself.

Step 2 Import the signed certificate:

crypto ca import <trustpoint-cuma-signed> certificate

Paste the contents of the signed certificate from the CA authority.

End with the word "quit" on a line by itself.

Step 3 Add the root certificate:

crypto ca trustpoint <trustpoint-cuma-root>

enrollment terminal

crypto ca authenticate <trustpoint-cuma-root>

Paste the contents of the root certificate


Importing a Self-Signed Certificate from Cisco Unified Mobility Advantage

The Cisco Adaptive Security Appliance requires a certificate in order to trust Cisco Unified Mobility Advantage.

The Cisco Adaptive Security Appliance does not automatically trust certificates signed by a recognized certificate signing authority, so perform this procedure even if you deploy a signed certificate on Cisco Unified Mobility Advantage.

Before You Begin

Determine whether a self-signed certificate meets your needs. See options at Required and Recommended Self-Signed Certificates, page 9-3.

Install or upgrade Cisco Unified Mobility Advantage.

Perform one of the following:

After upgrade from Release 3.1.2, if you did not have a signed certificate on your Managed Server: See Downloading a Self-Signed Certificate from Cisco Unified Mobility Advantage for Import into the Cisco Adaptive Security Appliance, page 5-15.

After a new installation: After you complete the Configuration Wizard, perform the procedure in Downloading the Self-Signed Certificate (After Running the Configuration Wizard), page 7-25.

After any installation: Generate a self-signed certificate from Cisco Unified Mobility Advantage by Downloading Self-Signed Certificates from Cisco Unified Mobility Advantage, page 9-11

Procedure


Step 1 Open the self-signed certificate from Cisco Unified Mobility Advantage in WordPad (not Notepad.)

Step 2 Import the certificate into the Cisco Adaptive Security Appliance trust store:

crypto ca trustpoint <trustpoint-cuma-selfsigned>

enrollment terminal

crypto ca authenticate <trustpoint-cuma-selfsigned>

Select All and copy the contents of the certificate from WordPad.

Include the following lines. Make sure there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Paste into the Cisco Adaptive Security Appliance command-line interface window.


Related Topics

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance, page 9-4

What To Do Next

Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance

Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance

We recommend that you configure Cisco Unified Mobility Advantage to require a certificate from the Cisco Adaptive Security Appliance. Use this procedure to provide the required self-signed certificate.

Procedure


Step 1 Enter configuration mode:

conf t

Step 2 Generate a key pair:

crypto key generate rsa label <keypair-asa-cuma-selfsigned>

You will see a "Please wait..." message; look carefully for the prompt to reappear.

Step 3 Create the certificate:

crypto ca trustpoint <trustpoint-asa-cuma-selfsigned>

enrollment self

keypair <keypair-asa-cuma-selfsigned>

crypto ca enroll <trustpoint-asa-cuma-selfsigned>

incl device serial number in the subject name - n

Gen self signed - y

Step 4 Export the certificate:

crypto ca export <trustpoint-asa-cuma-selfsigned> identity-certificate

Step 5 Copy and paste the text into WordPad.

Include the following lines. Make sure there are no extra spaces at the end.

----BEGIN CERTIFICATE----

----END CERTIFICATE----

Step 6 Save the file as a text file.


Troubleshooting Tip

If you need to retrieve the certificate text later, use this command:
crypto ca export <trustpoint-name> identity-certificate

Related Topics

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance, page 9-4

What To Do Next

After you install or upgrade Cisco Unified Mobility Advantage, import the certificate into the Security Context that is specified on the System Management > Network Properties page in the Admin Portal in Cisco Unified Mobility Advantage. If you used, or will use, the Configuration Wizard, this is the cuma Security Context. See Importing Self-Signed Certificates from Trusted Servers, page 9-10.

Setting up the TLS Proxy

Use the Cisco Adaptive Security Appliance command-line interface to set up the TLS proxy. This procedure creates a TLS proxy instance for Cisco Unified Mobile Communicator client connections and for Cisco Adaptive Security Appliance communications with Cisco Unified Mobility Advantage.

Before You Begin

Import the signed certificate to present to clients. See How to Obtain and Install a Cisco Adaptive Security Appliance-to-Client Certificate.

Generate a self-signed certificate from Cisco Adaptive Security Appliance and import it into Cisco Unified Mobility Advantage. See Generate a Certificate for Cisco Unified Mobility Advantage from the Cisco Adaptive Security Appliance.

Procedure


Step 1 Run these commands to set up the TLS Proxy on the Cisco Adaptive Security Appliance:

tls-proxy <tls-proxy-name>

server trust-point <trustpoint-cuma-signed>

This is the trustpoint that holds the signed certificate that Cisco Adaptive Security Appliance will present to the mobile clients, which you imported above.

client trust-point <trustpoint-asa-cuma-selfsigned>

This is the trustpoint that holds the self-signed certificate that Cisco Adaptive Security Appliance will present to Cisco Unified Mobility Advantage, which you generated above and imported into Cisco Unified Mobility Advantage.

no server authenticate-client

In this release, the Cisco Adaptive Security Appliance must automatically trust the mobile client. Cisco Adaptive Security Appliance will not authenticate client connections.

client cipher-suite aes128-sha1 aes256-sha1


Related Topics

Deploying Self-Signed Certificates: Cisco Adaptive Security Appliance, page 9-4

Defining MMP Inspection

This procedure validates the Mobile Multiplexing Protocol (MMP), a proprietary protocol.

Procedure


Step 1 Access the Cisco Adaptive Security Appliance command-line interface.

Step 2 Run these commands to define MMP inspection:

access-list mmp_inspect extended permit tcp any any eq <Proxy Client Connection Port>

class-map cuma_proxy

match access-list mmp_inspect

exit

policy-map global_policy

class cuma_proxy

inspect mmp tls-proxy <tls-proxy-name>

exit

exit

service-policy global_policy global


Testing Your Cisco Adaptive Security Appliance Configuration

Perform the following basic tests to be sure your configuration can successfully route communications internally and externally.

Procedure


Step 1 Ping the private IP address of the Cisco Unified Mobility Advantage server from the Cisco Adaptive Security Appliance.

Step 2 Ping an IP address on the internet.


What To Do Next

If either test is unsuccessful, see Fixing Unsuccessful Pings.

Troubleshooting the Cisco Adaptive Security Appliance

Useful Commands

Fixing Unsuccessful Pings

SSL Handshake Failures

Debugging TLS-Proxy and MMP Configurations

Useful Commands

The following are useful commands for troubleshooting your Cisco Adaptive Security Appliance configuration.

You may need to be in a particular mode, such as privileged EXEC, in order to use some of these commands.

For complete information on any command, see the Cisco Security Appliance Command Reference.

To
Use These Commands

Enable logs for troubleshooting

logging timestamp

logging list loglist message 711001

logging list loglist message 725001-725014

logging list loglist message 717001-717038

logging buffer-size 1000000

logging buffered loglist

logging debug-trace

Show the current logging configuration

show logging

Clear logs

clear logging buffer

Show the current configuration settings

show running-config

Show existing keypairs to see if a keypair has been generated.

sh crypto key mypubkey rsa

Display certificate information to verify that it was entered and imported correctly.

sh crypto ca certificate <certificate_name>

Check configuration of all certificates on the Cisco Adaptive Security Appliance

sh crypto ca certificates

Check configuration of the certificate from Cisco Unified Mobility Advantage that you imported into the Cisco Adaptive Security Appliance

sh crypto ca trustpoints

Clear a command or remove a configured item, such as a trustpoint, to reconfigure it

no <command to clear>

Clear a configuration under a specific command so that you can reconfigure it

clear configure <command>

Example: To delete the tls proxy:

clear configure tls-proxy

Use the following commands to see what happens on the Cisco Adaptive Security Appliance when you try to connect using the client:

Show the information about the current tls-proxy session

sh tls-proxy session detail

Show debug messages for TLS proxy inspection

debug inspect tls-proxy

Show a list of active MMP sessions

show mmp

Display inspect MMP events

debug mmp


Related Topics

No Connectivity On Initial Tests, page 19-3

Some Clients Cannot Connect on Initial Tests, page 19-3

Fixing Unsuccessful Pings

Procedure

If
Do This

You cannot ping the private IP address of the Cisco Unified Mobility Advantage server from the Cisco Adaptive Security Appliance

a. Use the following command to check if the first hop is your default router:
traceroute <private IP address of the Cisco Unified Mobility Advantage server> source inside

b. Check the routing commands for the inside interface

c. Make sure that you have configured the access-list to allow traffic to go through the inside interface

Ping an IP address on the internet from the Cisco Adaptive Security Appliance.

Check the routing commands for the outside interface.


SSL Handshake Failures

Note the following:

SSL handshake errors can result from problems with the connection between the client and the Cisco Adaptive Security Appliance or between the Cisco Adaptive Security Appliance and Cisco Unified Mobility Advantage. Check both sets of configurations.

This error is benign: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: ssl handshake failure,

If a SSL Handshake error message causes the tls-proxy session to close, then check certificate configuration:

sh crypto ca certificates

sh crypto ca trustpoints

If any of the trustpoints shows as "Not configured", revisit the certificate portion of the configuration.

Debugging TLS-Proxy and MMP Configurations

Try this procedure if connections are unsuccessful.

Procedure


Step 1 Use the following commands to enable debugging:

debug inspect tls-proxy all

debug mmp

Step 2 Use the following commands to check if MMP inspection is happening:

show mmp

show tls-proxy

Step 3 Check if the inspection port is correct, if you see MMP messages on the logs but no tls-proxy messages.