Showing results for 
Search instead for 
Did you mean: 

possible limitation of the ASA5505, DSCP markings

Level 1
Level 1

Hi Guys one of my customers asked the following about a limitation on the ASA5505

I have a client that has a number of branch offices on a Gen-I OneOffice network. For complex and political reasons, we can’t trust all nodes on that OneOffice network. We need to put a firewall at each branch office between their local network and the OneOffice router.

To avoid having to either readdress the OneOffice routers (politically difficult) or readdress each branch office (logistically difficult) we’ve suggested using a transparent mode ASA5505 firewall between each sites OneOffice router LAN switch.

Recently I’ve discovered the client is deploying Avaya VOIP phones into the offices using QOS/DSCP over the OneOffice network from Avaya units in some offices. I figured I’d need to trust DSCP on the way though the ASA and went about looking at how to achieve that.

I found the following document relating to configuring QOS on the ASA:

This suggests in the DSCP and Diffserv Preservation section that “DSCP markings are preserved on all traffic passing through the ASA.” However, in the Guidelines and Limitations section it suggests QOS isn’t supported in transparent mode.

I’m a bit worried that the DSCP markings won’t pass through the ASA5505 in transparent mode…

Do you have any words of wisdom, direction or other avenues to pursue to find out how the ASA will behave? I’ve googled it fairly heavily and haven’t found any answer one way or the other. I’d just plug it in and look, however the sites involved are not geographically convenient for easy testing of this…

3 Replies 3

Hi Bro

Yes, you're correct. QOS isn't a supported feature in Cisco Firewall running on transparent mode. Have you purchased them already? If no, you could purchase either a Bluecoat Packetshaper or Cisco Routers instead. These products can run in transparent mode / bridging mode and perform QOS. If you have purchased Cisco Firewalls, then we need to look into alternatives. I can't think of any at the moment, but after a couple of beers later at nite, who knows :-)

By the way, is the LAN switch Cisco Catalyst? QOS for voice can also be done here via the mls qos command.

Warm regards,
Ramraj Sivagnanam Sivajanam

My customer has replied.

There are Cisco Catalyst switches in all sites. We don’t need to apply QOS marking at the ASA5505, just wanting to be sure that any existing marking will not be stripped off as it passes through the firewall in transparent mode.

No parket marking will be stripped off by the Cisco FW running in transparent mode.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Review Cisco Networking for a $25 gift card