09-02-2004 12:38 PM - edited 02-20-2020 11:36 PM
Hi, I need to configure QOS on PIX 506E Ver.6.3.QOS about VoIP between VPN. It´s possible?
09-02-2004 01:04 PM
The pix currently has not QOS features. WHat are you looking to accomplish?
09-03-2004 07:47 AM
Hi,
basicly there are no QOS options for the moment, they will come on FOS version 7.
VoIP, IP phones will work in a VPN Tunnel, I have this done recently.
sincerly
Patrick
09-06-2004 05:45 AM
Hi, thanks you for your help. So, can you send me the config that you perform on the PIX for VoIP on VPN?
09-06-2004 05:46 PM
I hope I did not remove to much, but basicly it should look like that.
- a.b.c = Remote VoIP network on the other Tunnel site with the VoIP Gateway, DNS, DHCP...
- x.y.z = Local VoIP Network
- Everything that starts with a.b... means remote site.
- In this config I used VLAN but just remote it and use physical interfaces..
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan129 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan129 voip security80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
access-list acs-outside permit udp host REMOTEPIX host THISPIX eq isakmp
access-list acs-outside permit esp host REMOTEPIX host THISPIX
access-list acs-outside permit ah host REMOTEPIX host THISPIX
access-list NONAT permit ip x.y.z.0 255.255.0.0 a.0.0.0 255.0.0.0
access-list VPN permit ip x.y.z.0 255.255.0.0 a.0.0.0 255.0.0.0
ip address outside THISPIX 255.255.255.0
ip address inside 192.168.1.0 255.255.255.0
ip address voip x.y.z.1 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (voip) 0 access-list NONAT
access-group acs-outside in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT-GATEWAY 1
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address VPN
crypto map REMOTE 10 set peer REMOTEPIX
crypto map REMOTE 10 set transform-set TRANS
crypto map REMOTE interface outside
isakmp enable outside
isakmp key *********** address REMOTEPIX netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
dhcpd address x.y.z.11-x.y.z.99 voip
dhcpd dns a.d.d.26
dhcpd wins v.y.a.7
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd domain yourdomain.net
dhcpd option 150 ip a.b.c.11 a.b.c.10
dhcpd option 66 ascii a.b.c.11
dhcpd enable voip
sincerly
Patrick
09-06-2004 05:41 AM
Hi, I need QoS for VoIP, but this is possible on version 7.0.(according say Patrick).
Thanks you for your important help.
Regards,
Patricio R.
09-06-2004 03:37 PM
Currently there is not a possbility of QOS on the PIX itself.
Reccomendation:
Use a router on the inside of both networks, configure a GRE tunnel to the remote site, pass all VPN traffic across the GRE tunnel and run QOS on the GRE tunnel router on both sides.
This will leave a potential problem.... QoS for the traffic leaving the PIX to the Internet..
I have heard that PIX 7.0 will have some kind of QoS in it..... And it is actually due out... usually a New PIX code comes out by October....
J
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide