Solved

Proper QOS for VOIP on Cisco ASA 5505

Posted on 2011-02-24
4
1,321 Views
Last Modified: 2012-06-27
I am just looking for a thumbs up on my ASA 5505 config. I have a sip trunk delivered over the internet from an online provider. I just want to ensure I have good SIP QOS policies for the inside and outside interfaces on the router.
Below is my config and I would like insight on whether it is actually working and done properly. Any suggestions is greatly appreciated!

Note* anywhere you see an outside ip or encrypted password you will find an "xxxxxxxxxxx"

ASA VERSION 7.2(3)
!
HOSTNAME VIRTUCOMCISCO
!
INTERFACE VLAN1
 NAMEIF INSIDE
 SECURITY-LEVEL 100
 IP ADDRESS 192.168.2.1 255.255.255.0
!
INTERFACE VLAN2
 NAMEIF OUTSIDE
 SECURITY-LEVEL 0
 IP ADDRESS XXXXXXXX 255.255.255.248
!
INTERFACE ETHERNET0/0
 SWITCHPORT ACCESS VLAN 2
!
INTERFACE ETHERNET0/1
!
INTERFACE ETHERNET0/2
!
INTERFACE ETHERNET0/3
!
INTERFACE ETHERNET0/4
!
INTERFACE ETHERNET0/5
!
INTERFACE ETHERNET0/6
!
INTERFACE ETHERNET0/7
!
PASSWD XXXXXXXXXXXX

SAME-SECURITY-TRAFFIC PERMIT INTRA-INTERFACE
OBJECT-GROUP SERVICE CUSTOM TCP
 PORT-OBJECT EQ 3389
OBJECT-GROUP PROTOCOL TCPUDP
 PROTOCOL-OBJECT UDP
 PROTOCOL-OBJECT TCP
OBJECT-GROUP SERVICE TRIXBOX UDP
 DESCRIPTION UDP 5060, 10000-20000
 PORT-OBJECT RANGE 10000 20000
 PORT-OBJECT EQ SIP
OBJECT-GROUP PROTOCOL GRE
 PROTOCOL-OBJECT GRE
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 3389
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT OBJECT-GROUP TCPUDP ANY ANY
ACCESS-LIST OUTSIDE_ACCESS_IN REMARK UDP/10000-20000/5600
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT UDP ANY OBJECT-GROUP TRIXBOX ANY OBJECT-GROUP TRIXBOX
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 2350
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT UDP ANY ANY EQ 2350
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ HTTPS
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ SMTP
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ POP3
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ IMAP4
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT GRE ANY ANY
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY EQ PPTP ANY EQ PPTP
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT UDP ANY EQ 15884 ANY EQ 15884
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 15884
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ WWW
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 902
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 6600
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 995
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 993
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 587
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ SSH
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY ECHO-REPLY
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY SOURCE-QUENCH
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY UNREACHABLE
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY TIME-EXCEEDED
ACCESS-LIST INSIDE_ACCESS_IN EXTENDED PERMIT IP ANY ANY
PAGER LINES 24
LOGGING ENABLE
LOGGING ASDM INFORMATIONAL
MTU INSIDE 1500
MTU OUTSIDE 1500
NO FAILOVER
ICMP UNREACHABLE RATE-LIMIT 1 BURST-SIZE 1
ASDM IMAGE DISK0:/ASDM-523.BIN
NO ASDM HISTORY ENABLE
ARP TIMEOUT 14400
NAT-CONTROL
GLOBAL (OUTSIDE) 1 INTERFACE
NAT (INSIDE) 1 0.0.0.0 0.0.0.0
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 3389 VCTS 3389 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE SMTP VCEXCHANGE SMTP NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE HTTPS VCEXCHANGE HTTPS NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE WWW VCEXCHANGE WWW NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 995 VCEXCHANGE 995 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 587 VCEXCHANGE 587 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE IMAP4 VCEXCHANGE IMAP4 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 993 VCEXCHANGE 993 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxx HTTPS VCWEB HTTPS NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxx WWW VCWEB WWW NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxxx 3389 VCWEB 3389 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxxx HTTPS VCESX HTTPS NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxx 902 VCESX 902 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 2350 192.168.2.58 2350 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) UDP INTERFACE 2350 192.168.2.58 2350 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) xxxxxxxxxxx 10.1.10.20 NETMASK 255.255.255.255 DNS NORANDOMSEQ
STATIC (INSIDE,OUTSIDE) xxxxxxxxxxx TRIXBOX NETMASK 255.255.255.255
ACCESS-GROUP INSIDE_ACCESS_IN IN INTERFACE INSIDE
ACCESS-GROUP OUTSIDE_ACCESS_IN IN INTERFACE OUTSIDE
ROUTE INSIDE VCWEB 255.255.255.255 192.168.2.1 1
ROUTE OUTSIDE 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1
TIMEOUT XLATE 3:00:00
TIMEOUT CONN 1:00:00 HALF-CLOSED 0:10:00 UDP 0:02:00 ICMP 0:00:02
TIMEOUT SUNRPC 0:10:00 H323 0:05:00 H225 1:00:00 MGCP 0:05:00 MGCP-PAT 0:05:00
TIMEOUT SIP 0:30:00 SIP_MEDIA 0:02:00 SIP-INVITE 0:03:00 SIP-DISCONNECT 0:02:00
TIMEOUT UAUTH 0:05:00 ABSOLUTE
HTTP SERVER ENABLE
HTTP 192.168.2.0 255.255.255.0 INSIDE
NO SNMP-SERVER LOCATION
NO SNMP-SERVER CONTACT
SNMP-SERVER ENABLE TRAPS SNMP AUTHENTICATION LINKUP LINKDOWN COLDSTART
TELNET 192.168.2.0 255.255.255.0 INSIDE
TELNET TIMEOUT 5
SSH TIMEOUT 5
CONSOLE TIMEOUT 0
DHCPD AUTO_CONFIG OUTSIDE
!

priority-queue inside
priority-queue outside
!
class-map InsideVoipClass
 match port udp eq sip
class-map inspection_default
 match default-inspection-traffic
class-map Voip-outside-class
 match port udp eq sip
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
policy-map inside-VOIPpolicy
 class InsideVoipClass
  priority
policy-map type inspect sip SIPInspection
 parameters
  max-forwards-validation action drop log
  rtp-conformance
policy-map Voipoutside-policy
 class Voip-outside-class
  priority
!
service-policy global_policy global
service-policy inside-VOIPpolicy interface inside
service-policy Voipoutside-policy interface outside
prompt hostname context
0
Comment
Question by:VirtueCom
  • 2
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
shadowmantx earned 250 total points
ID: 34977329
Here is a QOS template that has helped me setup Cisco QOS.  Just negate your other Qos config settings.  This template will help you figure out bandwidth management and proper expedited forwarding.

Download it from this link:

http://www.techrepublic.com/article/configure-qos-on-your-cisco-router-with-this-template/6136216
0
 

Author Comment

by:VirtueCom
ID: 34980564
Thats great but it looks like I have done most steps in that article. Just looking for acceptance with my config or any small tweaks someone would recommend.
0
 
LVL 5

Expert Comment

by:shadowmantx
ID: 34983840
One thing to remember, if your users stream online radios like Pandora etc that will kill your bandwidth.  I usually block those sites.
0
 

Author Closing Comment

by:VirtueCom
ID: 35132758
Wasn't quite what I was looking for. All boilerplate responses..
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now