Question : Cisco ASA 5520 - QoS Configuration for VOIP

Cisco ASA 5520
ASDM Version 621
ASA Version 821

I've got a quick VOIP / QoS question I'm hoping someone can help me out with. We've got 10 VOIP phones, I've got DHCP reservations for them, so they're set at 192.168.247.200-209

Our internet connection into the ASA is a 10mbps over 2mbps connection via Cable Internet - we've got one single static IP that we're using with 12 left over for use.

We've been having some VOIP quality issues and I was wondering what the best way to set up Qos would be for that DHCP range. I may be going about this completely the wrong way - I know my way around the Pix devices pretty well, but the ASA is fairly new to me so I'm not sure if there are major differences command-line wise or not.

Thanks,

Code Snippet:

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:

           
           
             ASA Version 8.2(1) 
!
hostname XXXXXXXXXx
domain-name XXXXXXXXXXXxx
enable password q.q8Fr75e.20NtCe encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address xx.43.xx.190 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.247.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.247.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxxxxxxxx
access-list out2in extended permit tcp any host xx.43.xx.178 eq 3389 
access-list out2in extended permit tcp any host xx.43.xx.178 eq smtp 
access-list out2in extended permit tcp any host xx.43.xx.178 eq https 
access-list out2in extended permit tcp any host xx.43.xx.178 eq www 
access-list out2in extended permit tcp any host xx.43.xx.178 eq ftp 
access-list Inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 172.21.247.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 172.21.16.0 255.255.255.0 
access-list Outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 172.21.247.0 255.255.255.0 
access-list Outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 172.16.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) xx.43.xx.178 192.168.247.2 netmask 255.255.255.255 
access-group out2in in interface Outside
route Outside 0.0.0.0 0.0.0.0 xx.43.xx.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.247.1.0 255.255.255.0 management
http 192.168.247.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer xx.99.xx.180 
crypto map Outside_map 1 set transform-set ESP-3DES-MD5
crypto map Outside_map 2 match address Outside_cryptomap
crypto map Outside_map 2 set peer xx.208.xx.240 
crypto map Outside_map 2 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable management
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.247.1.2-192.247.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xx.99.xx.180 type ipsec-l2l
tunnel-group xx.99.xx.180 ipsec-attributes
 pre-shared-key *
tunnel-group xx.208.xx.240 type ipsec-l2l
tunnel-group xx.208.xx.240 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:1e295ed50fe0ba15a5b2c8bd68bb1d74

           
         

Open in New Window

Select All

Answer : Cisco ASA 5520 - QoS Configuration for VOIP

See if this document helps you:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Also you can refer to this as a reference guide for qos on the ASA in general:

http://supportwiki.cisco.com/ViewWiki/index.php/ASA_QoS

Question : Cisco ASA 5520 - QoS Configuration for VOIP

Answer : Cisco ASA 5520 - QoS Configuration for VOIP

See if this document helps you:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtmlAlso you can refer to this as a reference guide for qos on the ASA in general:http://supportwiki.cisco.com/ViewWiki/index.php/ASA_QoS

See if this document helps you:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

Also you can refer to this as a reference guide for qos on the ASA in general:

http://supportwiki.cisco.com/ViewWiki/index.php/ASA_QoS