Phone to the Migration of SSL VPN proxy telephone

We are working with a client who moves from UCM 7.x to 9.x and a proxy phone in place today. With the Proxy of phone is no longer supported in 9.x, they are forced to move to the SSL VPN for IP phones. The design doc indicates that phones need to be high on the internal network first download configs, certificates, etc. before going out on the field.

Yes, there is no known workaround solution to configure remote users phones WITHOUT bringing within the network. For multinationals, this could prove to be a HUGE headache.

jyoungta replied to another thread with this:

"If you can get a copy of the new phone config file and put it on a tftp which is accessible via the internet, then you can just point the phone to the server tftp (alternate tftp server option).  He's going to go and grab the new config file. »

It sounds good (Thanks Jay) but it looks easy... too easy. Is there a procedure that we follow documented, we can follow?

(Forgive my lack of specific technical knowledge, I'm in management)

-Sam

Hello Sam:

I was able to convert a phone of attorney to anyconnect vpn with a single deployment of standard certificate.  The phone had something to do with the CallManager via TFTP outside the network as part of the phone proxy configuration.

I have configured the anyconnect VPN settings phone on the SAA.

Pushed the ASA SSL certificate to the CallManager

Configured the CallManager to the VPN phone settings appropriate.

Apply the common on the phone phone settings and reset the phone.

-Until ' at this point, you just follow the guide.  https://supportforums.Cisco.com/docs/doc-21469

In the network settings on the phone, I changed the TFTP replacing (necessary for telephone proxy) public IP address to the private IP (required for anyconnect VPN).

Delete the CTL under settings - configuring security - trusted list

Reset the phone

-At this moment, I saw the phone reboot, connect to the VPN and I could check the operation of the VPN on the phone and make a few prank calls.

Tags: Cisco Support

Similar Questions

  • IP NAT on the router on SSL - VPN appliance

    Someone at - it allows to transmit 443/SSL on a SSL VPN Cisco 891 - K9 unit?

    (I have never encountered this situation before as the router VPN terminated public face directly or we had several IPs public to assign the VPN device directly a public IP address).

    With ' ip nat inside source static tcp 44.55.66.255 443 10.10.10.150 443 extensible "is supposed to pass the SSL request to the appliance SSL VPN to 10.10.10.150 to have VPN applications ended here.

    But failed miserably body 891 - K9 created a virtual ARP entry for 10.10.10.150. So two MACs with the same IP address.

    So 443 requests were sent to its interface. At the hearing of NAT, I can't ssh inside SSL - VPN, but by the time the statemet disappeared, I can ssh and warning dupliacte ARP goes.

    * 1 Nov 19:22:46.871: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
    * 1 Nov 19:23:18.083: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
    * 1 Nov 19:23:48.295: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
    RTR #sh clock
    * 19:24:26.487 UTC Sunday, November 1, 2015
    RTR #sh ip arp 10.10.10.150
    Protocol of age (min) address Addr Type Interface equipment
    Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
    RTR #sh ip arp 10.10.10.150
    Protocol of age (min) address Addr Type Interface equipment
    Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
    RTR #sh sh ip route 10.10.10.150

    Cisco TAC to reproduce this problem at the moment to report dev.

    Does anyone else have this problem or a workaround?

    Thank you.

    I may be misunderstanding but isn't your NAT statement backwards IE. If you want traffic to pass to 10.10.10.150 it shouldn't be-

    ' ip nat inside source static tcp 10.10.10.150 43 43 44.55.66.25x.

    isn't the device for SSL connection on interface 'ip nat inside '?

    Jon

  • Unable to connect to the site Web SSL VPN with firewall zone configured

    I recently updated my 2911 company and set up a firewall area.  This is my first experience with this and I used Cisco Configuration Professional to build the configuration of the firewall first and then edited the names to make it readable by humans.  The only problem I can't solve is to learn site Web SSL VPN from outside.  I can navigate the website and connect without problem from the inside, and even if it was useful to verify that the Routing and the site work properly it is really not what I.  I don't get anything on the syslog for drops because of the firewall server, or for any other reason but packet capture show that no response is received when you try to navigate to the outside Web site.  I am currently using a customer VPN IPSEC solution until I can get this to work and have no problem with it.  I have attached a sanitized with the included relevant lines configuration (deleted ~ 400 lines including logging, many inspections on the movement of the area to the area and the ipsec vpn, which I already mentioned).  I searched anything about this problem and no one has no problem connecting to their Web site, just to get other features to work correctly.  All thoughts are welcome.

    See the security box

    area to area

    Members of Interfaces:

    GigabitEthernet0/0.15

    GigabitEthernet0/0.30

    GigabitEthernet0/0.35

    GigabitEthernet0/0.45

    area outside zone

    Members of Interfaces:

    GigabitEthernet0/1

    sslvpn area area

    Members of Interfaces:

    Virtual-Template1

    SSLVPN-VIF0

    I tried to change the composition of the area on the interface virtual-Template1 to the outside the area nothing helps.

    See the pair area security

    Name of the pair area SSLVPN - AUX-in

    Source-Zone sslvpn-area-zone of Destination in the area

    Service-SSLVPN-AUX-IN-POLICY

    Name of the pair area IN SSLVPN

    Source-Zone in the Destination zone sslvpn-zone

    service-policy IN SSLVPN-POLICY

    Name of the pair area SELF SSLVPN

    Source-Zone sslvpn-area free-zone Destination schedule

    Service-SELF-to-SSLVPN-POLICY

    Zone-pair name IN-> AUTO

    Source-Zone in the Destination zone auto

    Service-IN-to-SELF-POLICY policy

    Name of the pair IN-> IN box

    In the Destination area source-Zone in the area

    service-policy IN IN-POLICY

    Zone-pair name SELF-> OUT

    Source-Zone auto zone of Destination outside the area

    Service-SELF-AUX-OUT-POLICY

    Name of the pair OUT zone-> AUTO

    Source-Zone out-area Destination-area auto

    Service-OUT-to-SELF-POLICY

    Zone-pair name IN-> OUT

    Source-Zone in the Destination area outside zone

    service-strategy ALLOW-ALL

    The pair OUT zone name-> IN

    Source-out-zone-time zone time Zone of Destination in the area

    Service-OUT-to-IN-POLICY

    Name of the pair area SSLVPN-to-SELF

    Source-Zone-Zone of sslvpn-area auto

    Service-SSLVPN-FOR-SELF-POLICY

    I also tried to add a pair of area for the outside zone sslvpn-zone passing all traffic and it doesn't change anything.

    The area of networks

    G0/0.15

    172.16.0.1 26

    G0/0.30

    172.16.0.65/26

    G0/0.35

    172.16.0.129/25

    G0/0.45

    172.18.0.1 28

    Pool of SSL VPN

    172.20.0.1 - 172.20.0.14

    Latest Version of IOS:

    Cisco IOS software, software C2900 (C2900-UNIVERSALK9-M), Version 15.0 (1) M10, RELEASE SOFTWARE (fc1)

    Glad works now. Weird question, no doubt.

    I guess that on the deployment guide said that the firewall will not support inspection of TCP to the free zone, however, class nested maps are used to accomplish this, to be completely honest, I think it's a mess and the best thing to do is action past to auto for the protocols that you want and then drop the rest.

    Let us know if you have any other problems.

    Mike

  • SSL vpn through the same internet connection to another site

    Hi, I have a network with a box of Juniper SSL that connect to port DMZ ASA5510, wher outside the ASA is the same outside the box of SSL vpn.

    To access issues eno hav network internal at all.

    Now, I need VPN SSL Juniper box remote users and internal conenct o my remote sites, who take the client connection through an internet router (Cisco throug site to site vpn IPSec) again to the th eremote site.

    Is it possible, my hunch is Yes "can be done."

    Currently, I'm fitting get no where, I get no hits ASA DMZ ACL if I try to access the remote site of the SSL vpn client resources.

    Schema attached

    Any help would be appreciated

    Shouldn't be a problem.

    On the Juniper SSL, you must check if the roads has been added to the remote IPSec LAN point to the ip address DMZ ASA instead of pointing to the internet through the Juniper SSL box.

    You need to configure NAT exemption on the ASA box between the pool SSL subnet to the Remote LAN of IPSec. As a result, you must also include the SSL subnet to Remote LAN subnets in the crypto ACL and mirror image ACL on the remote site ACL Cryptography.

    Hope that helps.

  • not having to ssl vpn login prompt

    Hi all

    This is the configuration for SSL vpn on our ASA 5510.   . If we made the reference to the site configuration, we are unable to get the login prompt. could you please check and suggest you do the work of SSL vpn

    Configuration

    ===========

    WebVPN
    allow outside
    back to url-list Test webvpn
    import webvpn url-list SSL_Bookmarks disk0: / tmpAsdmImportFile1646955469
    delete /noconfirm disk0: / tmpAsdmImportFile1646955469
    internal SSL_users group strategy
    attributes of Group Policy SSL_users
    VPN-tunnel-Protocol webvpn
    WebVPN
    the value of the URL - list SSL_Bookmarks
    type tunnel-group SSL_VPN remote access
    attributes global-tunnel-group SSL_VPN
    Group Policy - by default-SSL_users
    Group-RADIUS authentication server
    attributes of Group Policy SSL_users
    VPN-tunnel-Protocol svc webvpn
    tunnel-group SSL_VPN webvpn-attributes
    enable AnyConnect group-alias
    WebVPN
    tunnel-group-list activate

    ============================

    Version

    ======

    ASA-5510-1 # sh ver

    Cisco Adaptive Security Appliance Version 8.2 software (1)
    Version 6.2 Device Manager (1)

    Updated Wednesday, 5 May 09 22:45 by manufacturers
    System image file is "disk0: / asa821 - k8.bin.
    The configuration file to the startup was "startup-config '.

    ASA-5510-1 up to 57 days 9 hours

    Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz
    Internal ATA Compact Flash, 256 MB
    BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

    Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
    Start firmware: CN1000-MC-BOOT - 2.00
    SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
    Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.04
    0: Ext: Ethernet0/0: the address is 0027.0d38.034e, irq 9
    1: Ext: Ethernet0/1: the address is 0027.0d38.034f, irq 9
    2: Ext: Ethernet0/2: the address is 0027.0d38.0350, irq 9
    3: Ext: Ethernet0/3: the address is 0027.0d38.0351, irq 9
    4: Ext: Management0/0: the address is 0027.0d38.0352, irq 11
    5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
    6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited
    VLAN maximum: 100
    Internal hosts: unlimited
    Failover: Active/active
    VPN - A: enabled
    VPN-3DES-AES: disabled
    Security contexts: 2
    GTP/GPRS: disabled
    SSL VPN peers: 2
    The VPN peers total: 250
    Sharing license: disabled
    AnyConnect for Mobile: disabled
    AnyConnect for Linksys phone: disabled
    AnyConnect Essentials: disabled
    Assessment of Advanced endpoint: disabled
    Proxy sessions for the UC phone: 2
    Total number of Sessions of Proxy UC: 2
    Botnet traffic filter: disabled

    This platform includes an ASA 5510 Security Plus license.

    Serial number: JMX1350L04D
    Activation key running: 0xef04c544 0xf4999c16 0xf4c19950 0x85684c50 0x442c3292
    Registry configuration is 0x1
    Modified configuration of enable_15 to 06:55:11.349 UAE Thursday, November 18, 2010
    ASA-5510-1 #.

    ===================

    Thanks in adavnce

    You can get the activation key for 3des from the license page (it's free):

    https://Tools.Cisco.com/swift/licensing/PrivateRegistrationServlet?DemoKeys=Y

    (Click on Cisco ASA 3DES/AES license)

    It can work with just, however, your browser might not support SOME. The browser asks political there and see if ASA has set up, but I know that a lot of the new browser will not load more, but feel free to try.

  • URL via SSL VPn access

    Dear members

    Please see the diagram for an easy understanding of the issue.

    I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.

    customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is

    http://192.168.2.1:8204 / system/servlet/login

    ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.

    Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."

    I already tried with port forwarding, but that has not solved the problem.

    All entries from your side will be highly appreciated.

    Thank you

    Ahad

    Hi Ahad,

    When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?

    On the login page is a java applet?

    Now, there are several things to try:

    -do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?

    -You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.

    -as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.

    HTH

    Herbert

  • ASR1K and SSL VPN

    I'm having trouble finding information on SSL VPN for ASR1K, when we bought the boxes told us that SSL VPN was on the roadmap of the software, but that was back in 2010 and now I can not find anything nor can I get the right information.

    Does anyone have a recommendation on what to do or who to ask?

    PLS, contact your Cisco account manager as he or she would be able to provide additional information.

    There is normally a long list of features to add to the product, and SSL VPN is one of them who was asked to appear on the ASR. However, depending on the needs, it might be on the top of the list of the road map, or to the bottom of the list. Your Cisco AM should be able to get information from the product team.

  • Certificate SSL VPN

    Hi all

    I have configured the SSL vpn client and the client less ssl vpn, but I am not able to connect cisco vpn client softrware and also browser, because of certificate problem, can you please tell how to create the certificate SSL VPN

    Thanks and greetings

    Rajesh Gowda

    Sign up for a certificate from a public certification authority and use the FQDN to connect to the VPN. Then these warnings should not appear.

  • Cisco ASA AnyConnect SSL VPN - certificates + token?

    Hello

    I'm looking for an answer is it possible such configuration:

    The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

    I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

    Thank you very much for the help!

    Hi Alex,

    I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

    https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

    Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

    http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

    It may be useful

    -Randy-

  • How's IOS for SSL VPN

    Dear all,

    I have ASA 5510 and Version 8. I want to know IOS for SSL VPN, but I don't know which...

    Please help me show...

    HQ-ASA5510 # HS, fla

    path-# - length - time -.

    177 14137344 January 1, 2003 00:06:12 asa804 - k8.bin

    75 4096 November 21, 2008 12:17:46 log

    79 4096 crypto_archive November 21, 2008 12:18

    178 7562988 November 21, 2008 12:19:30 Amps - 613.bin

    180 4863904 November 21, 2008 12:21:10 securedesktop_asa_3_3_0_129.pkg.zip

    181 4096 November 21, 2008 12:21:10 sdesktop

    188 1462 November 21, 2008 12:21:10 sdesktop/data.xml

    182 2153936 November 21, 2008 12:21:10 anyconnect-victory - 2.2.0133 - k9.pkg

    183 3446540 November 21, 2008 12:21:12 anyconnect-macosx-powerpc - 2.2.0133 - k9.pkg

    184 3412549 November 21, 2008 12:21:16 anyconnect-macosx-i386 - 2.2.0133 - k9.pkg

    185 3756345 November 21, 2008 12:21:16 anyconnect-linux - 2.2.0133 - k9.pkg

    For Version 7. he say the ssl VPN.

    Please help me which line as SSL VPN.

    Best regards

    Rechard

    Richard, you already have the code that supports SSL webvpn on your ASA.

    See page medium low SSL VPN VPN/Web for more detailed examples, which provides all the necessary information for any additional/optional

    plug-ins needed.

    http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html

    Details of the sample SSL VPN configuration and types... but all the SSL.

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00806ea271.shtml

    What you have in your directory ASA applies the Anyconnect client who is also driven SSL but is a bit different from plain SSL webvpn, I suggest you go to the configuration examples of link that can provide information on the implementation of SSL vpn varios.

    Concerning

  • WebVPN and remote vpn, ssl vpn anyconnect

    Hi all

    Differences between webvpn and remote vpn, ssl vpn anyconnect
    All require a separate license?

    Thank you

    Hello

    The difference between the webvpn and SSL VPN Client is the WebVPN to use SSL/TLS and port

    send through a java application to support the application, it also only supports TCP for unicast traffic, no ip address

    address is assigned to the customer, and the navigation on the web in the tunnel is made with a SSL

    Web-mangle that allows us stuff things in theSSL session.

    SSL VPN (Anyconnect) Client is a client of complete tunneling using SSL/TCP, which installs an application on the computer and

    envelopes vpn traffic in the ssl session and thus also an assigned ip address has the

    tunnel's two-way, not one-way.   It allows for the support of the application on the

    tunnel without having to configure a port forward for each application.

    AnyConnect is a client of new generation, which has replaced the old vpn client and can be used as long as the IPSEC vpn ssl.

    For anyconnect licenses please see the link below:

    http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

    Kind regards

    Kanwal

  • VPN SSL - VPN 3000

    Dear all,

    What is the status of SSL - VPN on the VPN3000? I heard that it will be release around October 2003. I observe that the Neoteris is the leading product in this field of SSL - VPN.

    Best regards

    It is currently in beta very early with only a few customers to test. Beta 2 should start in 2-3 weeks with additional clients, although I think it's too late to register for this, but check with your systems engineer / AM and they may be able to help with this.

  • Cisco IOS SSL VPN on mobile

    Hello

    I want to know can I use the Cisco IOS SSL VPN on the use of mobile client Anyconnect. If yes what is the prerequisite, is there any kind of additional license required.

    Thank you

    In the following article:

    http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-VPN-client...

    Q. is possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router?

    A. No. it is not possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that is running version 3,0000.1 or a later version. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the section security devices and software support to the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

    --

    Please do not forget to rate and choose a good answer

  • What is a VPN solution that is more stable than IPSEC VPN? What is the latest version of VPN client recommended for Windows 7 & 8 users?

    Hello

    I would like to ask a few details & concerns on our existing VPN configuration.

    1. What is the Cisco VPN client recommended for users of Windows 7 and 8? Is there an official documentation for this Cisco? We currently use customer VPN Ciso 5.0.7.

    2. we are running IPSEC VPN with only 1 gateway & only local authentication (No ACS) for our client. Recently, we have some concerns that they are the VPN connection is down. Whereas if I'm the one connected to the VPN, my connection is stable. Is there any point that we must consider up in the network. Is there a better configuration or solution that we could recommend to the customer as SSL VPN?

    3. If you want to use SSL VPN anyconnect secure mobility & we want to implement redundancy on the FW, how will the license work?

    Thank you!

    An AnyConnect-based VPN is the replacement recommended for remote IPsec VPN access. (source)

    AnyConnect can use SSL or IPsec (IKEv2) for transport.

    For an ASA redundant firewalls (running 8.3 (1) or later) any permit required AnyConnect are shared between them. that is, you just buy licenses for a member of the HA pair. (source)

  • AnyConnect SSL VPN Split tunneling problem

    Hello

    We have home users that VPN in on a regular basis, but when they VPN in they cannot print locally or to connect to local resources.  Is there a way to activate the split for all remote users VPN tunneling?  It is not possible to add all the remote subnets, especially since I don't know which subnets are used and it would be a question of management.  I noticed that when I connect to the House a new route is added to my PC, who prefers the VPN link.

    I noticed one of the options with the client Anyconnect is 'enable local LAN access (if configured) '.  Can I use?

    Thanks in advance.

    Hello

    According to my understanding, you need to connect to your local printers while you are connected to the ASA via SSL VPN.

    You can do this by creating a policy of exclusion of tunnel split on SAA and the local lan access on the client option, or you can use the profile AnyConnect allowing local lan access.

    Please find the link below: -.

    https://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg

    I hope it helps.

    Thank you

    Shilpa

Maybe you are looking for