Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Voice through ASA

This may be a general VOICE ISSUE with something I need to change with inspection, ... but, ...

Hi. Currently, we have two ASA 5505s terminating a tunnel between NY and NM. All is fine except for the fact when VOICE traffic traverses the link, the policy drops go WAY UP and response time goes to almost nothing!! We have one Quintum Voice unit in NY, a Tenor DX 4048 and two in NM; a Tenor AXG 2400. SOMEBODY please HELP!!!

New Member

Re: Voice through ASA

My first thought is itty bitty firewall asked to be a big one, perhaps its not the right box for the job.

But yet cisco says it can.... so

how much voice are you putting on the box? can it handle it? what does the cpu look like? what about your policy is it configured correctly? Can you share it?

New Member

Re: Voice through ASA


Only three voice lines.

The CPU looks fine.

Policy - no clue - using DEFAULT. I AM concerned about that 'cause I'm thinking inspection may 'need' to be off? All else is plain vanilla... Ideas please :( ??

New Member

Re: Voice through ASA


I tend to use one policy to match the voice traffic and apply this globally then use another policy to inspect all other required traffic types and apply this to the internal interface.

Not had any problems doing it that way.


New Member

Re: Voice through ASA

Hi and thank you!!!

What I did was delete the global inspection policy. Although setting up quite a few ASAa, NEVER have I ventured into the policy and inspection areas. If I may, how did you do this and would you be able to give me a brief example as I would GREATLY appreciate it.


New Member

Re: Voice through ASA


There is a good guide here -

This is how i do it -

class-map Voice1

match access-list Voice_Map

class-map inspection_default

match default-inspection-traffic

class-map Voice

match dscp ef

match tunnel-group #Name of group#

policy-map qos

class Voice


service-policy qos global

service-policy csc_out_policy interface Inside_VLAN_1000

This is matching against dscp values, an access-list and a vpn tunnel group.

The second service policy is for CSC modules but can be the default if needed.


New Member

Re: Voice through ASA

Thank you so much. I will try this today and post within 24 hours!! Thank you SO much!

New Member

Re: Voice through ASA

I am almost ready to cry here. I am pasting the config without IPs ---- does this prioritize by voice correctly? :(


hostname ciscoasa

domain-name default.domain.invalid

enable password



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7



boot system disk0:/asa802-k8.bin

boot system disk0:/asa722-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list OUTBOUND extended permit udp any any eq domain

access-list OUTBOUND extended permit tcp any any eq https

access-list OUTBOUND extended permit tcp any any eq www

access-list OUTBOUND extended permit ip any

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit ip any any

access-list outside_1_cryptomap extended permit ip log

access-list inside_nat0_outbound extended permit ip log

access-list OUTBOUNG extended permit ip any any

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer aaaa

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet inside

telnet timeout 5

ssh inside

ssh outside

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics access-list


class-map Voice

match dscp ef

match tunnel-group aaaa



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map qos

class Voice



encrypted privilege 15

tunnel-group aaaa type ipsec-l2l

tunnel-group aaaa ipsec-attributes

pre-shared-key *

prompt hostname context

New Member

Re: Voice through ASA


Viewing the config on a phone so I could be wrong but I can't see the policy applied anywhere.

If you apply that as the global policy it should work. The only problem you may get is if the dscp field is stripped out when trunked to the ASA. If you are not using VLAN'S it shouldn't matter.


New Member

Re: Voice through ASA

I tried to apply it [I think] and it did not take ... I am probably doing it wrong. Apply how - forgive the ignorance ...


New Member

Re: Voice through ASA

This is the error I get...

ciscoasa(config)# service-policy voice interface inside

ERROR: Class Voice has 'priority' set without 'priority-queue' in any interface

New Member

Re: Voice through ASA


OK, forgot to apply the priority queue. If yo do priority-queue outside.

Then do service-policy qos global.

That should apply the policy.