QOS on PIX

prodriguez · ‎09-02-2004

Hi, I need to configure QOS on PIX 506E Ver.6.3.QOS about VoIP between VPN. It´s possible?

mostiguy · ‎09-02-2004

The pix currently has not QOS features. WHat are you looking to accomplish?

piseli · ‎09-03-2004

Hi,

basicly there are no QOS options for the moment, they will come on FOS version 7.

VoIP, IP phones will work in a VPN Tunnel, I have this done recently.

sincerly

Patrick

prodriguez · ‎09-06-2004

Hi, thanks you for your help. So, can you send me the config that you perform on the PIX for VoIP on VPN?

piseli · ‎09-06-2004

I hope I did not remove to much, but basicly it should look like that.

- a.b.c = Remote VoIP network on the other Tunnel site with the VoIP Gateway, DNS, DHCP...

- x.y.z = Local VoIP Network

- Everything that starts with a.b... means remote site.

- In this config I used VLAN but just remote it and use physical interfaces..

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan129 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan129 voip security80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

access-list acs-outside permit udp host REMOTEPIX host THISPIX eq isakmp

access-list acs-outside permit esp host REMOTEPIX host THISPIX

access-list acs-outside permit ah host REMOTEPIX host THISPIX

access-list NONAT permit ip x.y.z.0 255.255.0.0 a.0.0.0 255.0.0.0

access-list VPN permit ip x.y.z.0 255.255.0.0 a.0.0.0 255.0.0.0

ip address outside THISPIX 255.255.255.0

ip address inside 192.168.1.0 255.255.255.0

ip address voip x.y.z.1 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (voip) 0 access-list NONAT

access-group acs-outside in interface outside

route outside 0.0.0.0 0.0.0.0 DEFAULT-GATEWAY 1

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto map REMOTE 10 ipsec-isakmp

crypto map REMOTE 10 match address VPN

crypto map REMOTE 10 set peer REMOTEPIX

crypto map REMOTE 10 set transform-set TRANS

crypto map REMOTE interface outside

isakmp enable outside

isakmp key *********** address REMOTEPIX netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

dhcpd address x.y.z.11-x.y.z.99 voip

dhcpd dns a.d.d.26

dhcpd wins v.y.a.7

dhcpd lease 3000

dhcpd ping_timeout 750

dhcpd domain yourdomain.net

dhcpd option 150 ip a.b.c.11 a.b.c.10

dhcpd option 66 ascii a.b.c.11

dhcpd enable voip

sincerly

Patrick

prodriguez · ‎09-06-2004

Hi, I need QoS for VoIP, but this is possible on version 7.0.(according say Patrick).

Thanks you for your important help.

Regards,

Patricio R.

jmcburnett · ‎09-06-2004

Currently there is not a possbility of QOS on the PIX itself.

Reccomendation:

Use a router on the inside of both networks, configure a GRE tunnel to the remote site, pass all VPN traffic across the GRE tunnel and run QOS on the GRE tunnel router on both sides.

This will leave a potential problem.... QoS for the traffic leaving the PIX to the Internet..

I have heard that PIX 7.0 will have some kind of QoS in it..... And it is actually due out... usually a New PIX code comes out by October....

J