Voice through ASA

Unanswered Question
Nov 28th, 2007

This may be a general VOICE ISSUE with something I need to change with inspection, ... but, ...

Hi. Currently, we have two ASA 5505s terminating a tunnel between NY and NM. All is fine except for the fact when VOICE traffic traverses the link, the policy drops go WAY UP and response time goes to almost nothing!! We have one Quintum Voice unit in NY, a Tenor DX 4048 and two in NM; a Tenor AXG 2400. SOMEBODY please HELP!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whisperwind Wed, 11/28/2007 - 12:53

My first thought is itty bitty firewall asked to be a big one, perhaps its not the right box for the job.

But yet cisco says it can.... so

how much voice are you putting on the box? can it handle it? what does the cpu look like? what about your policy is it configured correctly? Can you share it?

netsec123 Wed, 11/28/2007 - 17:02

Hi.

Only three voice lines.

The CPU looks fine.

Policy - no clue - using DEFAULT. I AM concerned about that 'cause I'm thinking inspection may 'need' to be off? All else is plain vanilla... Ideas please :( ??

andyjames Thu, 11/29/2007 - 04:04

Hello,

I tend to use one policy to match the voice traffic and apply this globally then use another policy to inspect all other required traffic types and apply this to the internal interface.

Not had any problems doing it that way.

HTH.

netsec123 Thu, 11/29/2007 - 04:31

Hi and thank you!!!

What I did was delete the global inspection policy. Although setting up quite a few ASAa, NEVER have I ventured into the policy and inspection areas. If I may, how did you do this and would you be able to give me a brief example as I would GREATLY appreciate it.

THANKS SO MUCH!!!

andyjames Thu, 11/29/2007 - 05:17

Hello,

There is a good guide here -

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/configuration/guide/qos.html#wp1043440

This is how i do it -

class-map Voice1

match access-list Voice_Map

class-map inspection_default

match default-inspection-traffic

class-map Voice

match dscp ef

match tunnel-group #Name of group#

policy-map qos

class Voice

priority

service-policy qos global

service-policy csc_out_policy interface Inside_VLAN_1000

This is matching against dscp values, an access-list and a vpn tunnel group.

The second service policy is for CSC modules but can be the default if needed.

HTH.

netsec123 Thu, 11/29/2007 - 05:24

Thank you so much. I will try this today and post within 24 hours!! Thank you SO much!

netsec123 Fri, 11/30/2007 - 08:52

I am almost ready to cry here. I am pasting the config without IPs ---- does this prioritize by voice correctly? :(

PLEASE HELP....

hostname ciscoasa

domain-name default.domain.invalid

enable password

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.252 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd

boot system disk0:/asa802-k8.bin

boot system disk0:/asa722-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list OUTBOUND extended permit udp any any eq domain

access-list OUTBOUND extended permit tcp any any eq https

access-list OUTBOUND extended permit tcp any any eq www

access-list OUTBOUND extended permit ip any 192.168.23.0 255.255.255.0

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit ip any any

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.23.0 255.255.255.0 log

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.23.0 255.255.255.0 log

access-list OUTBOUNG extended permit ip any any

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 63.148.22.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer aaaa

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics access-list

!

class-map Voice

match dscp ef

match tunnel-group aaaa

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map qos

class Voice

priority

!

encrypted privilege 15

tunnel-group aaaa type ipsec-l2l

tunnel-group aaaa ipsec-attributes

pre-shared-key *

prompt hostname context

andyjames Fri, 11/30/2007 - 10:24

Hello,

Viewing the config on a phone so I could be wrong but I can't see the policy applied anywhere.

If you apply that as the global policy it should work. The only problem you may get is if the dscp field is stripped out when trunked to the ASA. If you are not using VLAN'S it shouldn't matter.

HTH.

netsec123 Fri, 11/30/2007 - 11:19

I tried to apply it [I think] and it did not take ... I am probably doing it wrong. Apply how - forgive the ignorance ...

:(

netsec123 Fri, 11/30/2007 - 11:39

This is the error I get...

ciscoasa(config)# service-policy voice interface inside

ERROR: Class Voice has 'priority' set without 'priority-queue' in any interface

andyjames Mon, 12/03/2007 - 02:16

Hello,

OK, forgot to apply the priority queue. If yo do priority-queue outside.

Then do service-policy qos global.

That should apply the policy.

HTH.

Actions

This Discussion