01-15-2009 06:37 AM
Hey All,
my situation isn't that complicated but I am wanting to know if these ACLs will work with what I'm trying to accomplish.
I currently have an ASA5510 handling VPN connections.
This is NOT a site-to-site VPN, but a Client VPN connection.
This is my goal. And correct me if some of this is unnecessary.
We have a few users with Nortel soft phones that can go home and use their VPN connection. The connection works fine and we are experiencing good feedback. I am worried that when we roll this out to over 100 people we are going to experience some issues. To take care of these issues I would like to implement QoS over the VPN Client connections.
Second, I would like for VPN-to-VPN clients to talk to each other.
Third, I would like for VPN-to-VPN clients to only have VoIP traffic go between them and not allow any sort of data traffic.
Here is what I have drafted up so far and most of it was stolen from this configuration: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
VPN Clients get an IP address of 10.110.198.0/24
access-list Encrypt-VPN-to-LAN extended permit ip 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list Encrypt-VPN-to-LAN extended permit ip 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0
access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq h323
access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq sip
access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq 2000
access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq h323
access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq sip
access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq 2000
access-group All-Inbound-calls in interface OUTSIDE
crypto ipsec transform-set VoIP-Encryption esp-des esp-md5-hmac
crypto map VoIPmap 10 match address Encrypt-VPN-to-LAN
crypto map VoIPmap 10 set transform-set VoIP-Encryption
crypto map VoIPmap interface OUTSIDE
class-map VoIP-OUT
match access-list Allow-Outbound-Calls
class-map VoIP-IN
match access-list Allow-Inbound-Calls
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect skinny
inspect sip
policy-map VoicePolicy
class Voice-IN
class Voice-OUT
priority
service-policy VoicePolicy interface OUTSIDE
same-security-traffic permit intra-interface
access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq h323
access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq sip
access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq 2000
access-list VPN-to-VPN-VoIP extended deny ip 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0
Thanks for any help
03-10-2010 04:04 PM
Did you ever find a solution to this? I am wanting to do the same.
Let me know if you did manage to resolve this and how you did. Thanks!
10-29-2010 07:05 AM
This may be just what you are looking for. According to this article, you have to tell the ASA what your DSL speed is so it can properly do QOS. This guy doesn't talk about doing it over a VPN but I don't know if that would be much harder to implement.
I hope this helps: http://brian-kayser.blogspot.com/2010/10/doing-asa-quality-of-service-qos.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: