prodriveit
asked on
Problem with VoIP after upgrading to PIX OS 7.21
Hi Guys,
I've a customer with 4 sites in the UK. All sites are using PIX 515e for firewall and VPN router, and all were on 6.3.5.
Sites 1 2 and 3 had Voip Phones, Site 1 hosted the IP phone switch (Cisco CCM) and Sites 2 and 3 were remote.
We upgraded site 4 to PIX OS 7.21 no problem
We then upgraded Site 2 no problem
We then upgraded SIte 1 ..........problems
First of all the VPN to site 3 was intermittent and the phone (only 1) in site 3 would not work.
Secondly - all the phones in Site 2 continually reset and call reliability is now rubbish where before it was quite good.
I've implemented CIsco's prioritisation suggestions using an ACL and Class Map on both the Site 1 and Site 2 PIX, but the phones are still unreliable. The problems with the dodgy connection to site 3 were fixed by re-seating the new memory module - although we have subsequently replaced this 64mb sim with 2 32mb ones in order to rule out dodgy memory as the cause of bad VoIP performance.
I've tried everything I can think of, but no joy. Below are the configs for both PIXs - site 1 and site 2.
SITE 1
PIX Version 7.2(1)
!
hostname london
domain-name customer.local
enable password * encrypted
names
name Site1 Site1
name 10.4.0.0 Site2
name 10.6.0.0 Site3
name 10.7.0.0 Site4
name 10.2.1.0 Voice2
name 10.3.1.0 Voice3
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address eee.eee.eee.eee 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.5.1.20 255.255.0.0
!
passwd * encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name customer.local
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site2 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site4 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site3 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Voice2 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Site2 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Voice2 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Site3 255.255.0.0
access-list outside_cryptomap_20 extended permit ip Site1 255.255.0.0 Site2 255.255.0.0
access-list outside_cryptomap_20 extended permit ip Voice3 255.255.255.0 Voice2255.255.255.0
access-list outside_cryptomap_20 extended permit ip Site1 255.255.0.0 Voice2255.255.255.0
access-list outside_cryptomap_20 extended permit ip Voice3 255.255.255.0 Site2 255.255.0.0
access-list outside_cryptomap_40 extended permit ip Site1 255.255.0.0 Site4 255.255.0.0
access-list outside_cryptomap_60 extended permit ip Site1 255.255.0.0 Site3 255.255.0.0
access-list outside_cryptomap_60 extended permit ip Voice3 255.255.255.0 Site3 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq h323
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq 2000
access-list VOIP-Priority-Out extended permit udp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq h323
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq 2000
access-list VOIP-Priority-In extended permit udp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
pager lines 24
logging enable
logging console debugging
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm521.bin
asdm location 10.0.0.0 255.0.0.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 10.0.0.0 255.0.0.0 outside
asdm location Site2 255.255.0.0 outside
asdm location Site4 255.255.0.0 outside
asdm location Site3 255.255.0.0 outside
asdm location Voice3 255.255.255.0 inside
asdm location Voice2 255.255.255.0 outside
asdm location Voice3 255.255.255.0 outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 Site1 255.255.0.0
static (inside,outside) 10.5.1.1 10.5.1.1 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 eee.eee.eee.eef
route inside Voice3 255.255.255.0 10.5.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer bbb.bbb.bbb.bbb
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer ccc.ccc.ccc.ccc
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer ddd.ddd.ddd.ddd
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
pre-shared-key *
tunnel-group ccc.ccc.ccc.ccc type ipsec-l2l
tunnel-group ccc.ccc.ccc.ccc ipsec-attributes
pre-shared-key *
telnet Site1 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
!
priority-queue outside
!
class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list VOIP-Priority-Out
class-map Voice-IN
match access-list VOIP-Priority-In
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect h323 h225
inspect h323 ras
class Voice-OUT
priority
class Voice-IN
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2551d9eff6a d15c4e6be0 a3b71ff742 a
SITE 2
PIX Version 7.2(1)
!
hostname farnborough
domain-name sbac.local
enable password * encrypted
names
name 10.5.0.0 Site1
name 10.7.0.0 Site4
name 10.6.0.0 Site3
name 10.3.1.0 Voice3
name 10.2.1.0 Voice2
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address bbb.bbb.bbb.bbb 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.1.20 255.255.0.0
!
passwd * encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name sbac.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site1 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site4 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site3 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Voice3 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Voice3 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Site1 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Site3 255.255.0.0
access-list outside_cryptomap_40 extended permit ip 10.4.0.0 255.255.0.0 Site1255.255.0.0
access-list outside_cryptomap_40 extended permit ip Voice2 255.255.255.0 Voice3 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 10.4.0.0 255.255.0.0 Voice3 255.255.255.0
access-list outside_cryptomap_40 extended permit ip Voice2 255.255.255.0 Site1 255.255.0.0
access-list outside_cryptomap_60 extended permit ip 10.4.0.0 255.255.0.0 Site4 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 10.4.0.0 255.255.0.0 Site3 255.255.0.0
access-list outside_cryptomap_80 extended permit ip Voice2 255.255.255.0 Site3 255.255.0.0
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq h323
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit udp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq 2000
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq h323
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit udp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq 2000
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm521.bin
asdm location 10.4.2.18 255.255.255.255 inside
asdm location Site1 255.255.0.0 outside
asdm location Site4 255.255.0.0 outside
asdm location Site1 255.255.0.0 inside
asdm location Site3 255.255.0.0 outside
asdm location 10.4.0.0 255.255.0.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 10.0.0.0 255.0.0.0 inside
asdm location Voice2 255.255.255.0 inside
asdm location Voice3 255.255.255.0 outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 bbb.bbb.bbb.bbc 1
route inside Voice2 255.255.255.0 10.4.1.40 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Site1 255.255.0.0 inside
http 10.4.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer aaa.aaa.aaa.aaa
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer ccc.ccc.ccc.ccc
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer ddd.ddd.ddd.ddd
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *
tunnel-group ccc.ccc.ccc.ccc type ipsec-l2l
tunnel-group ccc.ccc.ccc.ccc ipsec-attributes
pre-shared-key *
tunnel-group ddd.ddd.ddd.ddd type ipsec-l2l
tunnel-group ddd.ddd.ddd.ddd ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
priority-queue outside
!
class-map Voice-In
match access-list VOIP-Priority-In
class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list VOIP-Priority-Out
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect h323 h225
inspect h323 ras
class Voice-In
priority
class Voice-OUT
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:118ac2188fd cfe0ae0145 e77864ed05 5
Any pointers on how to improve reliability again or a reason why this has happened would be greatly appreciated.
BTW - Site 1 has 6Mbps line to Internet, Site 2 a 4Mbps line.
DS
I've a customer with 4 sites in the UK. All sites are using PIX 515e for firewall and VPN router, and all were on 6.3.5.
Sites 1 2 and 3 had Voip Phones, Site 1 hosted the IP phone switch (Cisco CCM) and Sites 2 and 3 were remote.
We upgraded site 4 to PIX OS 7.21 no problem
We then upgraded Site 2 no problem
We then upgraded SIte 1 ..........problems
First of all the VPN to site 3 was intermittent and the phone (only 1) in site 3 would not work.
Secondly - all the phones in Site 2 continually reset and call reliability is now rubbish where before it was quite good.
I've implemented CIsco's prioritisation suggestions using an ACL and Class Map on both the Site 1 and Site 2 PIX, but the phones are still unreliable. The problems with the dodgy connection to site 3 were fixed by re-seating the new memory module - although we have subsequently replaced this 64mb sim with 2 32mb ones in order to rule out dodgy memory as the cause of bad VoIP performance.
I've tried everything I can think of, but no joy. Below are the configs for both PIXs - site 1 and site 2.
SITE 1
PIX Version 7.2(1)
!
hostname london
domain-name customer.local
enable password * encrypted
names
name Site1 Site1
name 10.4.0.0 Site2
name 10.6.0.0 Site3
name 10.7.0.0 Site4
name 10.2.1.0 Voice2
name 10.3.1.0 Voice3
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address eee.eee.eee.eee 255.255.255.192
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.5.1.20 255.255.0.0
!
passwd * encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name customer.local
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site2 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site4 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Site3 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Voice2 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Site2 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Site1 255.255.0.0 Voice2 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice3 255.255.255.0 Site3 255.255.0.0
access-list outside_cryptomap_20 extended permit ip Site1 255.255.0.0 Site2 255.255.0.0
access-list outside_cryptomap_20 extended permit ip Voice3 255.255.255.0 Voice2255.255.255.0
access-list outside_cryptomap_20 extended permit ip Site1 255.255.0.0 Voice2255.255.255.0
access-list outside_cryptomap_20 extended permit ip Voice3 255.255.255.0 Site2 255.255.0.0
access-list outside_cryptomap_40 extended permit ip Site1 255.255.0.0 Site4 255.255.0.0
access-list outside_cryptomap_60 extended permit ip Site1 255.255.0.0 Site3 255.255.0.0
access-list outside_cryptomap_60 extended permit ip Voice3 255.255.255.0 Site3 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq h323
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq 2000
access-list VOIP-Priority-Out extended permit udp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq h323
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq 2000
access-list VOIP-Priority-In extended permit udp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
pager lines 24
logging enable
logging console debugging
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm521.bin
asdm location 10.0.0.0 255.0.0.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 10.0.0.0 255.0.0.0 outside
asdm location Site2 255.255.0.0 outside
asdm location Site4 255.255.0.0 outside
asdm location Site3 255.255.0.0 outside
asdm location Voice3 255.255.255.0 inside
asdm location Voice2 255.255.255.0 outside
asdm location Voice3 255.255.255.0 outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 Site1 255.255.0.0
static (inside,outside) 10.5.1.1 10.5.1.1 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 eee.eee.eee.eef
route inside Voice3 255.255.255.0 10.5.1.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer bbb.bbb.bbb.bbb
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer ccc.ccc.ccc.ccc
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer ddd.ddd.ddd.ddd
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
pre-shared-key *
tunnel-group ccc.ccc.ccc.ccc type ipsec-l2l
tunnel-group ccc.ccc.ccc.ccc ipsec-attributes
pre-shared-key *
telnet Site1 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
!
priority-queue outside
!
class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list VOIP-Priority-Out
class-map Voice-IN
match access-list VOIP-Priority-In
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect h323 h225
inspect h323 ras
class Voice-OUT
priority
class Voice-IN
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2551d9eff6a
SITE 2
PIX Version 7.2(1)
!
hostname farnborough
domain-name sbac.local
enable password * encrypted
names
name 10.5.0.0 Site1
name 10.7.0.0 Site4
name 10.6.0.0 Site3
name 10.3.1.0 Voice3
name 10.2.1.0 Voice2
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address bbb.bbb.bbb.bbb 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.1.20 255.255.0.0
!
passwd * encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name sbac.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site1 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site4 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Site3 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Voice3 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.4.0.0 255.255.0.0 Voice3 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Site1 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip Voice2 255.255.255.0 Site3 255.255.0.0
access-list outside_cryptomap_40 extended permit ip 10.4.0.0 255.255.0.0 Site1255.255.0.0
access-list outside_cryptomap_40 extended permit ip Voice2 255.255.255.0 Voice3 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 10.4.0.0 255.255.0.0 Voice3 255.255.255.0
access-list outside_cryptomap_40 extended permit ip Voice2 255.255.255.0 Site1 255.255.0.0
access-list outside_cryptomap_60 extended permit ip 10.4.0.0 255.255.0.0 Site4 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 10.4.0.0 255.255.0.0 Site3 255.255.0.0
access-list outside_cryptomap_80 extended permit ip Voice2 255.255.255.0 Site3 255.255.0.0
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq h323
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit udp Voice2 255.255.255.0 Voice3 255.255.255.0 eq sip
access-list VOIP-Priority-Out extended permit tcp Voice2 255.255.255.0 Voice3 255.255.255.0 eq 2000
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq h323
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit udp Voice3 255.255.255.0 Voice2 255.255.255.0 eq sip
access-list VOIP-Priority-In extended permit tcp Voice3 255.255.255.0 Voice2 255.255.255.0 eq 2000
pager lines 24
logging enable
logging asdm errors
mtu outside 1500
mtu inside 1500
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm521.bin
asdm location 10.4.2.18 255.255.255.255 inside
asdm location Site1 255.255.0.0 outside
asdm location Site4 255.255.0.0 outside
asdm location Site1 255.255.0.0 inside
asdm location Site3 255.255.0.0 outside
asdm location 10.4.0.0 255.255.0.0 inside
asdm location 192.168.1.0 255.255.255.0 inside
asdm location 10.0.0.0 255.0.0.0 inside
asdm location Voice2 255.255.255.0 inside
asdm location Voice3 255.255.255.0 outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 bbb.bbb.bbb.bbc 1
route inside Voice2 255.255.255.0 10.4.1.40 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http Site1 255.255.0.0 inside
http 10.4.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer aaa.aaa.aaa.aaa
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer ccc.ccc.ccc.ccc
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer ddd.ddd.ddd.ddd
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *
tunnel-group ccc.ccc.ccc.ccc type ipsec-l2l
tunnel-group ccc.ccc.ccc.ccc ipsec-attributes
pre-shared-key *
tunnel-group ddd.ddd.ddd.ddd type ipsec-l2l
tunnel-group ddd.ddd.ddd.ddd ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
priority-queue outside
!
class-map Voice-In
match access-list VOIP-Priority-In
class-map inspection_default
match default-inspection-traffic
class-map Voice-OUT
match access-list VOIP-Priority-Out
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect h323 h225
inspect h323 ras
class Voice-In
priority
class Voice-OUT
priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:118ac2188fd
Any pointers on how to improve reliability again or a reason why this has happened would be greatly appreciated.
BTW - Site 1 has 6Mbps line to Internet, Site 2 a 4Mbps line.
DS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. I'd previously applied 7.21 to a customer who was using VoIP over l2l vpn and they had reported an improvement in their VoIP (which now seems completely bizaar) and so this is what I went on.
We've since downgraded to 6.3 and all is ok again - will definately test the phones thoroughly after upgrading to a different version of 7!
Regards,
DS
We've since downgraded to 6.3 and all is ok again - will definately test the phones thoroughly after upgrading to a different version of 7!
Regards,
DS
I see you have also setup QoS to give voice priority. This was not a feature available on the old 6.x versions. Try it without the QoS features enabled.