Solved: QoS for Vonage VoIP PIX 515E

Chris Mickle · ‎08-08-2014

Hello,

I am admittedly a novice when dealing with Cisco routers and firewalls. I use a PIX firewall for my own environment and I just installed one at a client's office and need a little help with certain more advanced aspects of the configuration. I know enough to configure the firewall to do what we needed to do. The client has an office space that is occupied by three separate companies. They share 2 bonded T1s from AT&T for 3Mbps total bandwidth and have a /29 static IP address block. Each company wanted their own LAN separate from the others while still being able to share the common internet. I suggested the PIX firewall because they can't afford an ASA and because I have the most experience with it. I have configured the firewall so that each IP in the static block is NATed to an inside interface on the PIX and each company is connected to one interface. This effectively separates the LAN segments and gives us the desired result. The problem is that each company uses Vonage for VoIP phone service and we are having some intermittent difficulty with the phones. The phone guy, who openly admits that he is not an expert in routing thinks that it's the firewall that is causing the problems. I think it is a bandwidth issue. As I said, the problems are intermittent and seem to only occur during high usage of the internet. I did however find this article on the Vonage website https://support.vonagebusiness.com/kb/cisco-pix/ I am a little confused though because under the section entitled SIP Transformations, it says that I have to add the following line to the PIX configuration. no ip nat service SIP udp port 5060, but then it only mentions routers or switches using NAT. Do I need to do this on the PIX and since there are multiple interfaces that use NAT, do I need to alter it somehow so that it works on all of them or is it something that is applied globally? According to the article however under the section about configuring PIX software version 7.x I did perform the following...

class-map inspection_default
policy-map asa_global_fw_policy
no inspect sip

My first question is, could someone please look at the article and my config (posted below) and give me some suggestions on the proper way to configure the firewall?

My second question is about QoS. As I said above, I think the problems are related to bandwidth so I would like to implement some form of QoS to prioritize the VoIP traffic on each inside interface. I have been unable to find a clear answer to this for my specific environment.

Thanks

: Saved
:
PIX Version 8.0(4)
!
hostname pixfirewall
names
!
interface Ethernet0
nameif outside
security-level 0
ip address XXX.XXX.XXX.146 255.255.255.248
!
interface Ethernet1
nameif cpysmt
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
nameif digimg
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet3
nameif inside3
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet4
nameif public
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit tcp any host XXX.XXX.XXX.146 eq https
access-list 101 extended permit tcp any host XXX.XXX.XXX.146 eq www
access-list 101 extended permit tcp any host XXX.XXX.XXX.146 eq 3389
access-list 101 extended permit tcp any host XXX.XXX.XXX.146 eq 987
pager lines 24
logging asdm informational
mtu outside 1500
mtu cpysmt 1500
mtu digimg 1500
mtu inside3 1500
mtu public 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXX.XXX.XXX.147
global (outside) 3 XXX.XXX.XXX.148
global (outside) 4 XXX.XXX.XXX.149
global (outside) 5 XXX.XXX.XXX.150
nat (cpysmt) 1 192.168.0.0 255.255.255.0
nat (digimg) 2 192.168.1.0 255.255.255.0
nat (inside3) 3 192.168.2.0 255.255.255.0
nat (public) 4 192.168.3.0 255.255.255.0
static (cpysmt,outside) tcp interface https 192.168.0.224 https netmask 255.255.255.255
static (cpysmt,outside) tcp interface www 192.168.0.224 www netmask 255.255.255.255
static (cpysmt,outside) tcp interface 987 192.168.0.224 987 netmask 255.255.255.255
static (cpysmt,outside) tcp interface 3389 192.168.0.224 3389 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 digimg
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 digimg
telnet timeout 10
ssh 192.168.1.0 255.255.255.0 digimg
ssh timeout 30
console timeout 0
dhcpd dns XXX.XXX.XXX.XXX
!
dhcpd address 192.168.1.10-192.168.1.150 digimg
dhcpd enable digimg
!
dhcpd address 192.168.2.10-192.168.2.150 inside3
dhcpd enable inside3
!
dhcpd address 192.168.3.50-192.168.3.100 public
dhcpd enable public
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 207.46.197.32 source outside prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:89491d13cca57f107f7c7f4e94b184af
: end
asdm image flash:/asdm-615.bin
no asdm history enable

nkarthikeyan · ‎08-08-2014

Hi,

For your 1st question, yes if you disable the inspect sip on you fw service policy, this saves sthe processing time for SIP packets..... that is what they suggest on this and you have done it perfect in your configuration....

for your 2nd question, you can do some sort of Qos in FW to prioritize the vonage voip traffic...

some sort of sample qos config:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

Regards

Karthik

View solution in original post

nkarthikeyan · ‎08-08-2014

Hi,

For your 1st question, yes if you disable the inspect sip on you fw service policy, this saves sthe processing time for SIP packets..... that is what they suggest on this and you have done it perfect in your configuration....

for your 2nd question, you can do some sort of Qos in FW to prioritize the vonage voip traffic...

some sort of sample qos config:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

Regards

Karthik

Chris Mickle · ‎08-08-2014

So I do not need to add the line "no ip nat service SIP udp port 5060"?

Also, I know they recommend for other routers to disable stateful packet inspection. Is this necessary for the PIX?

nkarthikeyan · ‎08-08-2014

Hi,

Yeah, they suggest to remove the stateful inspection on any device... its applicable for pix/asa as well.... Since you have pix and you already have inpect disabled for sip.... so it should be okay...

Regards

Karthik

Chris Mickle · ‎08-09-2014

So, stupid question... Are SIP and stateful packet inspection the same thing? If I were to put in "no ip nat service SIP udp port 5060" instead of what I did do, would that dissable SIP only for UDP traffic on port 5060 while leaving it enabled for all other traffic? I assume that what I did was totally dissable SIP for all traffic right? Thanks for all your help!

nkarthikeyan · ‎08-09-2014

Nope. SIP is a Session initiation protocol, which is actually a kind of signalling communication protocol, widely used for multimedia communications such as voice...etc. in this command ip nat service SIP udp port 5060 SIP defines the protocol.....

so this command is applicable for cisco ios routers if you have any..... in case of pix you are disabling inspect sip for achieving this as per the given document.....

Regards

Karthik

Chris Mickle · ‎08-10-2014

Ok. Thanks for clearing that up. From the wording in the document it was not exactly clear to me which device that applied to. There is a cisco router in front of the firewall but it isn't performing NAT so I don't think any thing will have to be changed on it.

I will play around with QoS and see what happens.

Thanks again for all your help!