Cisco ASA 5505 Configuration Manual page 960

Prerequisites for the Phone Proxy
When used with CIPC, the phone proxy does not support end-users resetting their device name in CIPC
Note
(Preferences > Network tab > Use this Device Name field) or Administrators resetting the device name
in Cisco Unified CM Administration console (Device menu > Phone Configuration > Device Name
field). To function with the phone proxy, the CIPC configuration file must be in the format:
SEP<mac_address>.cnf.xml. If the device name does not follow this format (SEP<mac_address>), CIPC
cannot retrieve its configuration file from Cisco UMC via the phone proxy and CIPC will not function.
Prerequisites for Rate Limiting TFTP Requests
In a remote access scenario, we recommend that you configure rate limiting of TFTP requests because
any IP phone connecting through the Internet is allowed to send TFTP requests to the TFTP server.
To configure rate limiting of TFTP requests, configure the police command in the Modular Policy
Framework. See the Cisco ASA 5500 Series Command Reference for information about using the police
command.
Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you
configure, thus ensuring that no one traffic flow can take over the entire resource. When traffic exceeds
the maximum rate, the adaptive security appliance drops the excess traffic. Policing also sets the largest
single burst of traffic allowed.
Rate Limiting Configuration Example
The following example describes how you configure rate limiting for TFTP requests by using the police
command and the Modular Policy Framework.
Begin by determining the conformance rate that is required for the phone proxy. To determine the
conformance rate, use the following formula:
X * Y * 8
Therefore, if a rate of 300 TFTP requests/second is required, then the conformance rate would be
calculated as follows:
300 requests/second * 80 bytes * 8 = 192000
To control which hosts can ping the media termination address, create an ICMP rule. Go to Configuration
> Device Management > Management Access > ICMP and click the Add button.
End-User Phone Provisioning
The phone proxy is a transparent proxy with respect to the TFTP and signaling transactions. If NAT is
not configured for the Cisco UCM TFTP server, then the IP phones need to be configured with the Cisco
UCM cluster TFTP server address.
If NAT is configured for the Cisco UCM TFTP server, then the Cisco UCM TFTP server global address
is configured as the TFTP server address on the IP phones.
Cisco ASA 5500 Series Configuration Guide using ASDM
43-10
Where
X = requests per second
Y = size of each packet, which includes the L2, L3, and L4 plus the payload
Chapter 43 Configuring the Cisco Phone Proxy
OL-20339-01