My environment: UCM 8.0.3, ASA Software 8.2.3
VPN phone is one of the alternatives to extend the UC capabilities to remote workers. I have both 79xx and 99xx phones in my lab, however even though I upgrade the 99xx firmware to 9.1(1)SR1, the VPN feature isn’t working and seems 99xx will only work with UCM 8.5. The 79xx phones work fine.
Configuring ASA SSL VPN with self-sign CA
1. Generate RSA key for certificate
crypto key generate rsa label sslvpnkeypair
2. Create trustpoint for self-signed cert
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.panda.com
subject-name CN=sslvpn.panda.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm
ssl trust-point localtrust outside
3. Download Cisco_Manufacturing_CA.pem and CAPF.pem from UCM Certification Management. Import it to ASA via the following command:
crypto ca trustpoint CiscoMfgCert
enrollment terminal
crl configure
crypto ca trustpoint CAPF
enrollment terminal
crl configure
crypto ca authentication CiscoMfgCert
! Enter the text content in the Cisco_Manufaturing_CA.pem cert
crypto ca authentication CAPF
! Enter the text content in the CAPF cert
4. Copy AnyConnect image to flash, then specify the image location
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
5. Enable AnyConnect Access
webvpn
enable outsidesvc enable
6. Create Group Policy
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 1.1.1.1
vpn-tunnel-protocol svc
default-domain value panda.com
address-pools value SSLClientPool
6. Configure ACL bypass
sysopt connection permit-vpn
7. Create a connection profile and tunnel group for client connections
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable
8. Configure NAT Exemption, say for example 192.168.50.5 is the UCM that you want the client in the pool 192.168.25.0 can access.
access-list no_nat extended permit ip host 192.168.50.5 192.168.25.0 255.255.255.0
nat (inside) 0 access-list no_nat
9. Adding remote access users
username vpnphone password pandavpn
username vpnphone attributes
service-type remote-access
10. Encryption algorithm
ssl encryption aes128-sha1
ssl trust-point localtrust outside
More detail information about the ASA configuration, check out
here.
VPN Phone Configuration
1. From ASA, export the self sign CA cert
crypto ca export localtrust identity-certificate
Copy and paste the text and name the file with extension
.pem
2. Create a Group URL. This is needed in the later steps of VPN phone configuration on UCM.
tunnel-group sslgroup webvpn-attributes
group-url https://1.2.3.4/vpnphone
3. Upload CA cert to UCM. From UCM OS admin page, choose
Security > Certificate Management. Click
Upload Certificate, and choose
Phone-VPN-trust from the certificate name dropdown box. Upload the certificate you’ve exported from ASA.
4. UCM Admin page >
Advanced Features > VPN > VPN Gateway, enter the VPN Group URL. Move the certificate from the truststore to your location.
5.
Advanced Features > VPN > VPN Group, choose the VPN Gateway you’ve created in step 4.
6.
Advanced Features > VPN > VPN Profile, choose the preferred authentication method.
7.
Device > Device Settings > Common Phone Profile. Create a new phone profile and assign VPN Group and VPN profile to the phone profile
8. Apply the
Common Phone Profile to the phone you want to allow remote VPN access.
9. For 79xx phone, go to
Security Configuration > VPN Configuration > Enabled.
10. You will be prompt for username and password. You can now bring the phone home and test it!