?
Solved

CIsoc IP Phone Using AnyConnect VPN Client on ASA

Posted on 2011-02-27
8
Medium Priority
?
1,469 Views
Last Modified: 2012-05-11
Hello
I wonder if somebody was successful in configuring Anyconnect VPN Client on Cisco ASA in order to facilitate connections from remote Cisco IP Phones to Call Manager cluster. The solution is so purely explained on Cisco website. I spent few days already trying to make it work but I'm not getting anywhere.  Even CallManager configuration is not clear either. Thanks for help.
Pchopin
0
Comment
Question by:pchopin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Assisted Solution

by:orbistechnology
orbistechnology earned 500 total points
ID: 34993772
What model Cisco phone are you using?  

Anyconnect is SSL-based VPN.  Using self-signed certificates often causes us problems.  We always use a certificate from a CA and install it on the ASA.  

We have anyconnect setup per instructions from Cisco and have no issues with current model Cisco phones, using a well-known CA certificate on the ASA.
0
 

Author Comment

by:pchopin
ID: 34993851
I'm using Cisco IP Phones 7965 with firmware v9 and Call Manger v8. I'm kind new to VoIP so I'm struggling a bit.  Would you know where I can fine working configuration for ASA using CA? I've been trying to use self-signed certificate till now.
Thank you for help
Pchopin
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 1500 total points
ID: 34997442
I've set this up for 2 clients.     As orbs said, you will need a CA Cert for the ASA.  
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

Once the ASA is loaded, you will need to export the .pem for both the CA authority and the Asa cert.    These 2 pem files are uploaded to the call manager as Trusted-Phone-Cert in CM Servicability.

On the ASA, you create a new VPN profile for the phones.   Configure ip pool and auth.  The important part is setting a Group URL in the Profile's Clientless SSL section.    This URL will be used in call manager config.  

On the call manager side, you create a new Phone Profile.  Make sure the certs are loaded in CM.   Create a VPN gateway In here you add the group URL form the ASA, and also pick the 2 trusted phone certs you uploaded earlier.    Next you create a new VPN group and create a common device profile.   In the device profile, make sure to fill in the VPN Group and VPN profile you created earlier.  

Assign a phone to that new profile.

On the phone, clear the itl entry and reset.   The phone should get the ITL and CTL.   Take it outside the LAN and enable VPN.   It should prompt for ID/PW and establish a connection.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 33

Accepted Solution

by:
MikeKane earned 1500 total points
ID: 34997451
HERe's more info:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmevpn.html

Also, you will need the VPN phone lic. on the ASA for this to work.  
0
 

Author Comment

by:pchopin
ID: 35002197
Thanks MikeKane. This very helpful. But I just wonder why I would need 3-rd paryt certificate?  Why can't I use self-signed certificate from ASA?  This is not clear to me.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 1500 total points
ID: 35007892
The Intermediary cert must be installed and trusted by the CUCM if it isn't already.    I'm sure that using a self signed cert can be done, but I have never done one that way so I can't give any practical advice/direction.    However, like any cert, the CM must trust the issuer of the ASA cert and have a PEM file to load up as a trust-vpn-phone cert in Serviceability on the CM.  

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37049239
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question