We have an IPSec tunnel established between our office and another site using 2 ASA 5510s running 8.0(3).
We have a T1 connecting these sites. I want to be able to use CBWFQ on the serial interfaces of the routers. How can I copy the "copy" the DSCP value into the IP header of the ESP packet on the ASA, if the DSCP is set on the ingress interface of the ASA? I want certain VPN traffic to be placed into different queues on the serial interfaces. I see there the "qos pre-classify" command that exists for routers. Does the ASA have something simular? If no, what can I do?
Awesome! I did not realize the RFC called for that ToS bytes to be copied from the inner header to the outer header. I was planning on testing this out today by creating the policy-maps and running a capture on the other VPN endpoint to see if I see the DSCP bits set in the outer headers. I will let you guys know what I find.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...