Having VoIP QoS on the ASA and between VPN Client peers

the_crooked_toe · ‎01-15-2009

Hey All,

my situation isn't that complicated but I am wanting to know if these ACLs will work with what I'm trying to accomplish.

I currently have an ASA5510 handling VPN connections.

This is NOT a site-to-site VPN, but a Client VPN connection.

This is my goal. And correct me if some of this is unnecessary.

We have a few users with Nortel soft phones that can go home and use their VPN connection. The connection works fine and we are experiencing good feedback. I am worried that when we roll this out to over 100 people we are going to experience some issues. To take care of these issues I would like to implement QoS over the VPN Client connections.

Second, I would like for VPN-to-VPN clients to talk to each other.

Third, I would like for VPN-to-VPN clients to only have VoIP traffic go between them and not allow any sort of data traffic.

Here is what I have drafted up so far and most of it was stolen from this configuration: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

VPN Clients get an IP address of 10.110.198.0/24

access-list Encrypt-VPN-to-LAN extended permit ip 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Encrypt-VPN-to-LAN extended permit ip 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0

access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq h323

access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq sip

access-list Allow-Outbound-Calls extended permit tcp 10.0.0.0 255.0.0.0 10.110.198.0 255.255.255.0 eq 2000

access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq h323

access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq sip

access-list Allow-Inbound-Calls extended permit tcp 10.110.198.0 255.255.255.0 10.0.0.0 255.0.0.0 eq 2000

access-group All-Inbound-calls in interface OUTSIDE

crypto ipsec transform-set VoIP-Encryption esp-des esp-md5-hmac

crypto map VoIPmap 10 match address Encrypt-VPN-to-LAN

crypto map VoIPmap 10 set transform-set VoIP-Encryption

crypto map VoIPmap interface OUTSIDE

class-map VoIP-OUT

match access-list Allow-Outbound-Calls

class-map VoIP-IN

match access-list Allow-Inbound-Calls

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect skinny

inspect sip

policy-map VoicePolicy

class Voice-IN

class Voice-OUT

priority

service-policy VoicePolicy interface OUTSIDE

same-security-traffic permit intra-interface

access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq h323

access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq sip

access-list VPN-to-VPN-VoIP extended permit tcp 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0 eq 2000

access-list VPN-to-VPN-VoIP extended deny ip 10.110.198.0 255.255.255.0 10.110.198.0 255.255.255.0

Thanks for any help

pjscott13 · ‎03-10-2010

Did you ever find a solution to this? I am wanting to do the same.

Let me know if you did manage to resolve this and how you did. Thanks!

joejoesmoe123 · ‎10-29-2010

This may be just what you are looking for. According to this article, you have to tell the ASA what your DSL speed is so it can properly do QOS. This guy doesn't talk about doing it over a VPN but I don't know if that would be much harder to implement.

I hope this helps: http://brian-kayser.blogspot.com/2010/10/doing-asa-quality-of-service-qos.html