[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5537
  • Last Modified:

Cisco ASA 5505 VPN w/ VOIP QoS configuration

Hi Gurus,

a friend of mine is using a vpn-site-to-site connection via his local Cisco ASA 5505 to a remote partner's Sonicwall (i'm not sure what the model is but it's one of the newer ones) to connect to their Fonality PBX server.  How do i go about optimizing and prioritizing traffic for VOIP/SIP?  From my understanding, I believe QoS needs to be configured for both end-points.  So with the above network setup, what's the best way to configure?

current config:

10 sip phones <==> Cisco ASA 5505 <==> VPN site-to-site (over Verizon DSL) <==> Sonicwall <==> Fonality PBX Server.

Thanks in advance.

0
jetli87
Asked:
jetli87
  • 3
  • 3
2 Solutions
 
Alan Huseyin KayahanCommented:
Hello jetli87,
      If you already have a s2s VPN established and have data flowing through, and you also want your VOIP traffic flow through the same tunnel, your best option would be marking the SIP phone traffic (they should be in Voice VLAN of switch according to best practices) with a DSCP value (this can be done at switch which phones connect to) of ef, then at both sites, prioritize the traffic matching ef marking. An easier practise would be writing an ACL at both ends that defines the SIP phone traffic, then do prioritization matching on that specific ACL.
     What I would recommend is, create a seperate tunnel for VOIP phones, set transform set as esp-null at both ends so you disable encryption and lower the latency, than match tunnel-group for prioritization.

Please check the following previous answer of mine for step by step
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23876820.html
 
Regards

0
 
jetli87Author Commented:
thanks for the response...I'll definitely try it out...however, both sites are small and are using cheap-0 switches.  With that being said, I assume going through the ACL solutions is my best option?

Also, I've read here at EE that QoS only workes if two sites are connected by a lease line, i.e. T1 or MPLS...Since a VPN tunnel is using the internet, QoS features is loss once traffic travels via internet...Can you confirm?
0
 
cat6509Commented:
it is true that the Internet is not going to retain or respect your QOS/DSCP markings, but that doesn't mean you should not mark the traffic, you still need to prioritize, traffic shape and rate limit what goes into the tunnel.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
Alan Huseyin KayahanCommented:
   If we look at QoS in general, it is correct that Internet which consists of islands of ISP routers and switches, will not do QoS according to what you mark. ISPs do QoS according to their needs like prioritizing their routing protocol traffic so on where congestion may occur within their campus. There are some ISPs out there which can do QoS fo traffic you mark, by paying extra fees, but this is not a common scenario,  taken into consideration when your remote office is pretty many ASes away that may cause bidirectional raw packet exceed 140-150ms delay.
   From CompanyABC's Network Administrator standpoint, your QoS concerns begin and end where your network perimeter begins and ends, typically a WAN router or firewall, (excluding possible bottlnecks within distribution layer, trunk ports etc). Same for your branch office. So you should command your perimeter device "When congestion occurs at my router's interface, send/receive my voice packets first, meaning if there are data packets waiting in software queue because of congestion, (some guy is seeding/downloading torrents and killing our upstream/downstream bandwidth), move voice packets to first line, in front of these data packets. It will have no affect if you deliver my data packets late, but my voice will start jittering when you deliver it late. (Btw dont FIFO drop my voice packets, because this voice packet has to reach on time, so TCP's guaranteed delivery like retransmission of lost packets wont work here, since I dont want to hear my "hello" word you dropped, in the middle of my conversation. Yet Voice usually uses UDP for actual voice transmission and TCP for signaling, in general)" Then let Internet deliver the packets on its best effort. And finally at your branch office, command your perimeter device same as what you did at your main office. Follow the best practises to lower latency as much as possible like not using encryption for Voice VPN Tunnel, use transport mode if possible (dont add tunnel mode's additional header overhead).
     Long story short, regardless of being internet or dedicated line, if your interface congests, and if you dont have QoS in place, you will have jitter in voice!

Regards
0
 
jetli87Author Commented:
Wow, I appreciate the exlpanation since I'm still trying to grasp QoS and it's benefits and limitations.

As configuring the voice VPN tunnel w/ no encryption, can you list the sample phase1/2 commands on the ASA w/ QoS enabled for that tunnel?

basically, the s2s vpn is only used for VOIP connection to the fonality server, so i believe your solution will help alleviate some of latency.
0
 
Alan Huseyin KayahanCommented:
crypto ipsec transform-set nullset esp-null esp-md5-hmac
crypto map outside_map 10 match address crypto_10_map
crypto map outside_map 10 set peer 1.1.1.1   (1.1.1.1 is an example peer)
crypto map outside_map 10 set transform-set nullset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *

priority-queue outside    (global config mode)

class VOIP_Tunnel
    match tunnel-group 1.1.1.1

policy-map outside_policy
     class VOIP_Tunnel
         priority

serice-policy outside_policy interface outside
0
 
jetli87Author Commented:
thanks!

I'll test out and let you know.
0

Featured Post

Reclaim your office - Try the MB 660 headset now!

High level of background noise often makes it difficult for employees to concentrate fully on their jobs – or to communicate clearly on calls. The MB 660 headset helps you create a disruption free workspace.  

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now