We have an IPSec tunnel established between our office and another site using 2 ASA 5510s running 8.0(3).
We have a T1 connecting these sites. I want to be able to use CBWFQ on the serial interfaces of the routers. How can I copy the "copy" the DSCP value into the IP header of the ESP packet on the ASA, if the DSCP is set on the ingress interface of the ASA? I want certain VPN traffic to be placed into different queues on the serial interfaces. I see there the "qos pre-classify" command that exists for routers. Does the ASA have something simular? If no, what can I do?
please, if helpful rate
I thought the DSCP bit is automatically coped from the inner header to the outer header as per the RFC?
QOS pre-classify is only required if you need to apply QOS policies based on other parameters (not copied or visible) at the egress interace.
E.g. in case of IPSEC tunnel mode the layer 4 port-numbers are not visible. For transport mode more fields are visible.