Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1368
  • Last Modified:

Proper QOS for VOIP on Cisco ASA 5505

I am just looking for a thumbs up on my ASA 5505 config. I have a sip trunk delivered over the internet from an online provider. I just want to ensure I have good SIP QOS policies for the inside and outside interfaces on the router.
Below is my config and I would like insight on whether it is actually working and done properly. Any suggestions is greatly appreciated!

Note* anywhere you see an outside ip or encrypted password you will find an "xxxxxxxxxxx"

ASA VERSION 7.2(3)
!
HOSTNAME VIRTUCOMCISCO
!
INTERFACE VLAN1
 NAMEIF INSIDE
 SECURITY-LEVEL 100
 IP ADDRESS 192.168.2.1 255.255.255.0
!
INTERFACE VLAN2
 NAMEIF OUTSIDE
 SECURITY-LEVEL 0
 IP ADDRESS XXXXXXXX 255.255.255.248
!
INTERFACE ETHERNET0/0
 SWITCHPORT ACCESS VLAN 2
!
INTERFACE ETHERNET0/1
!
INTERFACE ETHERNET0/2
!
INTERFACE ETHERNET0/3
!
INTERFACE ETHERNET0/4
!
INTERFACE ETHERNET0/5
!
INTERFACE ETHERNET0/6
!
INTERFACE ETHERNET0/7
!
PASSWD XXXXXXXXXXXX

SAME-SECURITY-TRAFFIC PERMIT INTRA-INTERFACE
OBJECT-GROUP SERVICE CUSTOM TCP
 PORT-OBJECT EQ 3389
OBJECT-GROUP PROTOCOL TCPUDP
 PROTOCOL-OBJECT UDP
 PROTOCOL-OBJECT TCP
OBJECT-GROUP SERVICE TRIXBOX UDP
 DESCRIPTION UDP 5060, 10000-20000
 PORT-OBJECT RANGE 10000 20000
 PORT-OBJECT EQ SIP
OBJECT-GROUP PROTOCOL GRE
 PROTOCOL-OBJECT GRE
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 3389
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT OBJECT-GROUP TCPUDP ANY ANY
ACCESS-LIST OUTSIDE_ACCESS_IN REMARK UDP/10000-20000/5600
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT UDP ANY OBJECT-GROUP TRIXBOX ANY OBJECT-GROUP TRIXBOX
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 2350
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT UDP ANY ANY EQ 2350
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ HTTPS
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ SMTP
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ POP3
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ IMAP4
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT GRE ANY ANY
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY EQ PPTP ANY EQ PPTP
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT UDP ANY EQ 15884 ANY EQ 15884
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 15884
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ WWW
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 902
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 6600
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 995
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 993
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ 587
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT TCP ANY ANY EQ SSH
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY ECHO-REPLY
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY SOURCE-QUENCH
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY UNREACHABLE
ACCESS-LIST OUTSIDE_ACCESS_IN EXTENDED PERMIT ICMP ANY ANY TIME-EXCEEDED
ACCESS-LIST INSIDE_ACCESS_IN EXTENDED PERMIT IP ANY ANY
PAGER LINES 24
LOGGING ENABLE
LOGGING ASDM INFORMATIONAL
MTU INSIDE 1500
MTU OUTSIDE 1500
NO FAILOVER
ICMP UNREACHABLE RATE-LIMIT 1 BURST-SIZE 1
ASDM IMAGE DISK0:/ASDM-523.BIN
NO ASDM HISTORY ENABLE
ARP TIMEOUT 14400
NAT-CONTROL
GLOBAL (OUTSIDE) 1 INTERFACE
NAT (INSIDE) 1 0.0.0.0 0.0.0.0
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 3389 VCTS 3389 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE SMTP VCEXCHANGE SMTP NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE HTTPS VCEXCHANGE HTTPS NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE WWW VCEXCHANGE WWW NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 995 VCEXCHANGE 995 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 587 VCEXCHANGE 587 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE IMAP4 VCEXCHANGE IMAP4 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 993 VCEXCHANGE 993 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxx HTTPS VCWEB HTTPS NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxx WWW VCWEB WWW NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxxx 3389 VCWEB 3389 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxxx HTTPS VCESX HTTPS NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP xxxxxxxxxx 902 VCESX 902 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) TCP INTERFACE 2350 192.168.2.58 2350 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) UDP INTERFACE 2350 192.168.2.58 2350 NETMASK 255.255.255.255
STATIC (INSIDE,OUTSIDE) xxxxxxxxxxx 10.1.10.20 NETMASK 255.255.255.255 DNS NORANDOMSEQ
STATIC (INSIDE,OUTSIDE) xxxxxxxxxxx TRIXBOX NETMASK 255.255.255.255
ACCESS-GROUP INSIDE_ACCESS_IN IN INTERFACE INSIDE
ACCESS-GROUP OUTSIDE_ACCESS_IN IN INTERFACE OUTSIDE
ROUTE INSIDE VCWEB 255.255.255.255 192.168.2.1 1
ROUTE OUTSIDE 0.0.0.0 0.0.0.0 xxxxxxxxxxxx 1
TIMEOUT XLATE 3:00:00
TIMEOUT CONN 1:00:00 HALF-CLOSED 0:10:00 UDP 0:02:00 ICMP 0:00:02
TIMEOUT SUNRPC 0:10:00 H323 0:05:00 H225 1:00:00 MGCP 0:05:00 MGCP-PAT 0:05:00
TIMEOUT SIP 0:30:00 SIP_MEDIA 0:02:00 SIP-INVITE 0:03:00 SIP-DISCONNECT 0:02:00
TIMEOUT UAUTH 0:05:00 ABSOLUTE
HTTP SERVER ENABLE
HTTP 192.168.2.0 255.255.255.0 INSIDE
NO SNMP-SERVER LOCATION
NO SNMP-SERVER CONTACT
SNMP-SERVER ENABLE TRAPS SNMP AUTHENTICATION LINKUP LINKDOWN COLDSTART
TELNET 192.168.2.0 255.255.255.0 INSIDE
TELNET TIMEOUT 5
SSH TIMEOUT 5
CONSOLE TIMEOUT 0
DHCPD AUTO_CONFIG OUTSIDE
!

priority-queue inside
priority-queue outside
!
class-map InsideVoipClass
 match port udp eq sip
class-map inspection_default
 match default-inspection-traffic
class-map Voip-outside-class
 match port udp eq sip
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
policy-map inside-VOIPpolicy
 class InsideVoipClass
  priority
policy-map type inspect sip SIPInspection
 parameters
  max-forwards-validation action drop log
  rtp-conformance
policy-map Voipoutside-policy
 class Voip-outside-class
  priority
!
service-policy global_policy global
service-policy inside-VOIPpolicy interface inside
service-policy Voipoutside-policy interface outside
prompt hostname context
0
VirtueCom
Asked:
VirtueCom
  • 2
  • 2
1 Solution
 
shadowmantxCommented:
Here is a QOS template that has helped me setup Cisco QOS.  Just negate your other Qos config settings.  This template will help you figure out bandwidth management and proper expedited forwarding.

Download it from this link:

http://www.techrepublic.com/article/configure-qos-on-your-cisco-router-with-this-template/6136216
0
 
VirtueComAuthor Commented:
Thats great but it looks like I have done most steps in that article. Just looking for acceptance with my config or any small tweaks someone would recommend.
0
 
shadowmantxCommented:
One thing to remember, if your users stream online radios like Pandora etc that will kill your bandwidth.  I usually block those sites.
0
 
VirtueComAuthor Commented:
Wasn't quite what I was looking for. All boilerplate responses..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now