Having VoIP QoS on the ASA and between VPN Client peers

Unanswered Question
Jan 15th, 2009

Hey All,

my situation isn't that complicated but I am wanting to know if these ACLs will work with what I'm trying to accomplish.

I currently have an ASA5510 handling VPN connections.

This is NOT a site-to-site VPN, but a Client VPN connection.

This is my goal. And correct me if some of this is unnecessary.

We have a few users with Nortel soft phones that can go home and use their VPN connection. The connection works fine and we are experiencing good feedback. I am worried that when we roll this out to over 100 people we are going to experience some issues. To take care of these issues I would like to implement QoS over the VPN Client connections.

Second, I would like for VPN-to-VPN clients to talk to each other.

Third, I would like for VPN-to-VPN clients to only have VoIP traffic go between them and not allow any sort of data traffic.

Here is what I have drafted up so far and most of it was stolen from this configuration: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

VPN Clients get an IP address of 10.110.198.0/24

access-list Encrypt-VPN-to-LAN extended permit ip 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Encrypt-VPN-to-LAN extended permit ip 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0

access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq h323

access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq sip

access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq 2000

access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq h323

access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq sip

access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq 2000

access-group All-Inbound-calls in interface OUTSIDE

crypto ipsec transform-set VoIP-Encryption esp-des esp-md5-hmac

crypto map VoIPmap 10 match address Encrypt-VPN-to-LAN

crypto map VoIPmap 10 set transform-set VoIP-Encryption

crypto map VoIPmap interface OUTSIDE

class-map VoIP-OUT

match access-list Allow-Outbound-Calls

class-map VoIP-IN

match access-list Allow-Inbound-Calls

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect skinny

inspect sip

policy-map VoicePolicy

class Voice-IN

class Voice-OUT

priority

service-policy VoicePolicy interface OUTSIDE

same-security-traffic permit intra-interface

access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq h323

access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq sip

access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq 2000

access-list VPN-to-VPN-VoIP extended deny ip 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0

Thanks for any help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pjscott13 Wed, 03/10/2010 - 16:04

Did you ever find a solution to this? I am wanting to do the same.

Let me know if you did manage to resolve this and how you did. Thanks!

Actions

This Discussion