The Silo Chronicles
The not so exciting adventures of a Network Engineer

With the release of 8.0.4 the ASAs now support a PhoneProxy functionality.  It seems that this news spread unusually fast within the management circles as more and more customers seem to be asking about the technology.  Last week I had a chance to sit down and get it working on a 5510 and figured I would send out a link that made it possible.  Of course Cisco has a technically accurate guide on their CCO site but like normal it lacks many useful explanations.  After poking around for a bit I found a wonderful guide on the Cisco Wiki.

http://supportwiki.cisco.com/ViewWiki/index.php/ASA_Phone_Proxy_sample_configuration

I found this very helpful in not just configuring but understanding exactly which of the configuration snippets discussed will be needed.  After following this guide I was able to get them up and running on the phone proxy in short order.  The only issue I ran into is for some reason when I pasted in the Manufacturer certificate it lost a few lines of it so I had to re-paste it.  Once I fixed that everything worked like a champ.

Now, I wish I could say all my experience have been like this.  The customer I got this working at has a very simple configuration on their 5510 and network in general.  I have since tried to set this up on three other ASAs and it seems to not have gone in quite so easy.  The problem seems to resolve around TFTPing during registration and timing out.  In all three cases everything goes great, phones upgrade, you see them in the PhoneProxy commands but once it tries to register the configuration transfers, says complete and then all the sudden it says “Received Packet # expected 1″ and promptly dies.  Unfortunately I am still waiting for some help from TAC to fix these so if you have any suggestions let me know!

I ran across a customer today that asked how exactly their CSA 6.0 was protecting them from Viruses.  I wasn’t able to find a pre-canned response for them so I put together a quick overview I thought I would share.

CAS deployed two detection methods for anti-virus protection.  You can run either one or both at the same time.  The first detection method is what most people are used to and that is a Signature based solution.  This solution uses the Clam AV engine and signatures.  The second is a Behavior Analysis.  This simply looks at the behavior of the file and determines if it thinks it is a virus or not.

When a file is flagged via either of these detection methods the file get “tagged” as a virus and becomes inplaced quarantined.  This is different from other solutions that physically move the file to a new location.  One of the reason CSA handles the virus infected file this way is that it will now monitor this file and any other file that might access this file.  This allows the system to try and detected secondary infected files.  Once a file is flagged CSA prevents all access to the file and fires off a deny event whenever an access attempt is made.  You can review these events to find outwhat other files are trying to access this infected file.

You can view the quarantined files by loading the CSA Agent GUI, clicking on Anti-Virus and then looking in the quarantined files section.  Files that are tagged via the signatures based detection are automatically deleted after 60 days by default where files that are tagged via the Behavior Analysis detection method are never automatically deleted.

You can determine which method was used to detect the virus by looking at the details of the event and viewing the first two lines.  It will tell you if it was a signature or behavior that triggered the event.