Cisco Unfied Mobility Advantage - ASA Configuration

Installing Cisco ASA is mandatory for Cisco Unified Mobile Client (CUMC) to work with Cisco Unified Mobility Adtantage Server (CUMA). This setup adds extra layer of security for CUMC to communicate with CUMA, which is deployed in the Enterprise network. The recommended Cisco ASA version is as follows

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Cisco ASA (Adaptive Security Appliance ) can be installed in two configurations for Cisco Unified Mobility Advantage setup.

• Cisco ASA Installed as Firewall and as Proxy Server

In this configuration Cisco ASA is configured to be a firewall and also to be Proxy Server. The Enterprise specific Firewall rules are applied, however to allow the traffic to reach Cisco Unified Mobility Advantage Server, TCP Port 6532 and Port 5443 must be opened on the firewall.

• Cisco ASA Installed as Proxy Server

In this configuration Cisco ASA is deployed within the DMZ to function as a proxy server. TCP ports 5443 and 6532 needs to be opened on External and Internal firewall to allow the traffic to reach the CUMA server deployed in the lab. The diagram below shows the setup.

Before we start configuring the ASA, we need the following information in hand.

OUTSIDE
Subnet 2 -> 64.103.26.0/28 (64.103.26.1 to 64.103.26.14)
Default gateway Subnet 2-> 64.103.26.10
Outside Netmask-> 255.255.255.240
ASA Outside Interface IP ->64.103.26.3
CUMA Routable IP- > 64.103.26.2
CUMA Routable hostname- >gwydlg070424.cisco.com
Client SSL Port -> 5443
Client Provisioning download Port ->6532
INSIDE
Subnet1-> 64.103.26.16/28 (64.103.26.17 to 64.103.26.30)
Default gateway Subnet 1 -> 64.103.26.30
Inside Netmask-> 255.255.255.240
ASA Inside Interface IP- >64.103.26.18
Client Shared IP -> 64.103.26.19
ENTERPRISE NETWORK
CUMA Server IP ->10.53.44.104
Client SSL Port -lab ->5443
Client Provisioning download Port -lab ->6532

The Cisco ASA will have NAT/PAT translation, thats why we need two interfaces, Internal and External. Cisco Unified Mobile Client (CUMC) will connect to “CUMA Routable IP” or to “CUMA Routable Hostname” only, thereby making rest of the network transparent. The Cisco ASA will translate “CUMA Routable IP” to “CUMA Server IP” in the enterprise/lab network and the security is enhanced by introducing “Third party Certificate” and “TLS” mechanism. The data is full encrypted and transported within Secured Socket Layer (SSL)

1. Enter the following commands to get access to all configuration commands:

enable
(no password)
configure terminal

2. Assign IP addresses to ASA’s inside and outside interfaces:

interface Vlan1
nameif inside
security-level 100
ip address

interface Vlan2
nameif outside
security-level 0
ip address

3. Set up the necessary rules to do the translation described above:

nat-control
global (inside) 1 netmask
nat (outside) 1 0.0.0.0 0.0.0.0 outside
static (inside,outside) tcp
static (inside,outside) tcp

4. Create access list for inspection port :

access-list mmp_inspect extended permit tcp any any eq

5 Specify static routes to the default gateways for both the inside and outside interfaces:

route outside 0.0.0.0 0.0.0.0 1

route inside 1
“this sends all traffic destined for to connected to Inside Interface”

6. This step is used to install Verisign certificate on the ASA - Authentication between CUMC (Clients on Mobile) and CUMA server

Create a Certificate Signing Request (CSR) on the ASA

Steps are as follows

• Generate a key pair for this certificate:

# crypto key generate rsa label modulus 1024

• Create a trustpoint with the necessary information to generate the certificate request:

# crypto ca trustpoint
# subject-name CN=,OU=,O=,C=<2>,St=,L=
# keypair
# fqdn
# enrollment terminal

• Get the certificate request that you will need to send to the CA authority to get a signed certificate from them:

# crypto ca enroll

• Once you get the signed certificate, authenticate the trustpoint as follow:

# crypto ca authenticate

[paste the content of the intermediate certificate you got from the CA authority website]

• Install the signed certificate:

# crypto ca import certificate

[paste the content of certificate you got from the CA authority]

• Add the root certificate:

# crypto ca trustpoint
# enrollment terminal
# crypto ca authenticate

[paste the content of the root certificate]

7. Install the CUMA server’s certificate in the ASA’s trust store. This step is necessary for the ASA to authenticate the CUMA server during handshake between the ASA proxy and CUMA server.

In Cisco Unified Mobility Advantage Admin portal, navigate to “security context” -> “Manage Context”- > Download

Install the CUMA server’s self-signed certificate in the ASA’s trust store.

This step is necessary for the ASA to authenticate the CUMA server during handshake between the ASA proxy and CUMA server.
# crypto ca trustpoint cuma_server
# enrollment terminal
# crypto ca authenticate cuma_server
[ paste the content of the certificate file downloaded from CUMA

8. Create a TLS proxy instance for the CUMA clients connecting to the CUMA server.

tls-proxy eval_proxy
server trust-point eval-trustpoint
client trust-point eval-trustpoint
no server authenticate-client
client cipher-suite aes128-sha1 aes256-sha1
exit

9. Enable TLS proxy for MMP inspection.

class-map gwydlg030201_proxy
match access-list mmp_inspect
exit

policy-map global_policy
class gwydlg030201_proxy
inspect mmp tls-proxy eval_proxy
exit

service-policy global_policy global

10. Save the configuration

write mem

11. Reboot ASA for the configuration changes to properly take effect:

reload

Some Commands for quick reference

show run (this will display the current cisco ASA configuration)

show crypto ca trustpoints (this will display the trustpoint name and its configuration)

show crypto ca certificates (this will display the certificates configured and the associated trustpoints)

Enable logs:

# logging timestamp

# logging list loglist message 711001

# logging list loglist message 725001-725014

# logging list loglist message 717001-717038

# logging buffer-size 1000000

# logging buffered loglist

# logging debug-trace

Show logs
# sh logg
Clear logs
# clear logging buffer

(www.ucunleashed.com)