Cisco ASA Proxy Features
Cisco ASA Firewall allows signaling traffic decryption and re-encryption by virtue of the TLS Proxy feature, which enables the inspection engine to look into the packet contents. This alleviates the issue of NAT/ALG-aware firewalls not being able to look into the encrypted (SRTP/TLS) voice and video streams. Cisco ASA supports two major proxy modes:
- TLS Proxy: Enables Cisco ASA to decrypt and inspect encrypted signaling before Cisco ASA re-encrypts the signaling to the destination, thereby ensuring that all traffic passing through the firewall is compliant with the organization’s security policy. TLS Proxy requires encrypted endpoints on the outside and inside of an ASA-brokered network, which implies that the CUCM cluster within the organization is in mixed mode (a mixed-mode cluster is in secure mode, as explained later in this chapter).
- Phone Proxy: Secures remote access for encrypted Cisco Unified IP Phone endpoints and VLAN traversal for Cisco softphones. It enables a remote user to plug in an IP Phone directly to a hotel/home network and make secure calls through the centralized CUCM cluster via the Internet. Moreover, unlike TLS Proxy, Phone Proxy doesn’t require internal endpoints to be encrypted; hence, the CUCM cluster within an organization’s data center can be in unsecure mode or mixed mode.
Cisco ASA Phone Proxy and TLS Proxy services are not supported with CUCM version 9.x. Instead, Cisco VPN Phone is recommended for secure remote endpoint connection and traversal at the enterprise-edge firewall. Also, as an alternative to the ASA Phone Proxy feature, Cisco Unified Border Element (CUBE) supports Phone Proxy with B2BUA line-side support for CUCM. Phone Proxy is supported with Cisco IOS version 15.3(3)M1 and later on the Cisco Integrated Services Routers Generation 2 (ISR G2) platform. It allows organizations to have phones on the Internet connected to a CUBE at the edge of the enterprise and securely set up signaling/media with phones in the enterprise premises.