Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11517
Views
8
Helpful
5
Replies

ASA 5505 Configure QoS & VOIP with SIP Trunking

moises.ruiz
Level 1
Level 1

‎09-17-2012 01:11 PM - edited ‎03-11-2019 04:55 PM

Hi,

I've read several posts and configuration documents including:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate

and

http://brian-kayser.blogspot.ca/2010/10/doing-asa-quality-of-service-qos.html

But I am not savy configuring ASAs at all and I can't get it to work so I am hoping that someone can provide clear and detailed information on what I need to do.

Problem:

We are switching to a SIP trunk phone system and I am in charge of setting up the ASA to not only make it work but also make sure that there's packet priority or QoS.

I've never configured something like this and I was giving another set of instructions to make sure that this is working:

http://support.thinktel.ca/index.php/kb/article/251-How_SIP_Trunking_works

Configuration:

My configuration is very basic:

3 interfaces - Outside/Inside/Guest

ASA Version: 7.2(3)

ASDM Version 5.2(3)

Firewall Mode: Routed

Solution:

When I tried following the instructions on brian-kayser's blog I get an error when I'm sending the following command:

shape average

^  Invalid marker

service-policy PRIORITY-POLICY

^ Incomplete command

I think it's because my version of ASA doesn't have this functionality but I don't know.

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-17-2012 03:53 PM

Hello Moises,

"Traffic shaping was introduced in ASA 7.2.4"

Now I will start saying the following:

"The priority will start to happen as soon as the ASA gets oversubscripted ( this means the hardware queue got full, then the software queue it will start working and here is where the priority magic happens ( we have 2 queues: best effort queue {Default} and the priority queue)"

So the thing is that as far as it concernes to the ASA if it has a connection to the outside DSL ( using a 100 MB link) and he does not detect an oversubscription here then he will be using the best effort queue, that is what on the Brian Kayser website he tell us that we need to configure traffic shapping or policing in order to change the behavior of the ASA.

Any other question.. Sure.. Just remember to rate all of my answers

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

moises.ruiz
Level 1
Level 1
In response to Julio Carvajal

‎09-18-2012 05:11 AM

Ok so that's why I am not able to run the rest of the commands as per Brian Kayser's website...

Would you help me out and provide me instructions on how to update to version 7.2(4)?

Is it complicated?

I believe I understand what you are saying but if I only have 1mbps upload, I would want to give priority to voice packets in the event that someone is using all the bandwidth at some point.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to moises.ruiz

‎09-18-2012 09:17 AM

Hello Moises,

Sure my pleasure.

Just go to cisco.com, go to the support area / downloads / asa5500 series/Choose the ASA 5505 software and look for that particular image.

As soon as you download it you can copy it to the ASA flash memory using a TFTP server.

http://www.techrepublic.com/blog/networking/five-steps-to-upgrading-the-software-on-a-cisco-asa-5510/294

http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/

In fact use those 2 links, as soon as you have that version I will help you with the Priority stuff.

Any other question.. Sure.. Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

moises.ruiz
Level 1
Level 1
In response to Julio Carvajal

‎10-01-2012 05:25 AM

Hi Julio,

Unfortunately I do not have the license or the membership to upgrade and download the image myself. The person that used to manage this appliance left and I do not have any documentation about it.

Could you tell me how I can do this upgrade without being a Cisco partner or where can I buy the image?

Thanks,

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to moises.ruiz

‎10-01-2012 10:05 AM

Hello Moises,

The only way is to be registered with Cisco.

Please check your inbox.

Any other question.. Sure.. Just remember to rate all of my answers

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card