Quality of Service, Bandwidth Management and Security Configuration

Available Languages

Download Options

PDF (705.3 KB)
View with Adobe Reader on a variety of devices

Updated:April 4, 2008

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Quality of Service, Bandwidth Management, and Security Configuration

Quality of Service (QoS) Configuration

Cisco 3745 Router Configuration

Cisco Catalyst 4506 Switch Configuration

Cisco 7206 Router Configuration

Bandwidth Management Using RSVP Agents

RSVP Configuration on Cisco Routers

Cisco Unified CallManager Configuration to Support RSVP

Firewall Security Configuration

Secure PIX Firewall Setup

Firewall Services Module (FWSM) Configuration

Quality of Service, Bandwidth Management, and Security Configuration

This chapter addresses IP network infrastructure topics, such as Quality of Service (QoS), bandwidth management of VoIP call traffic using Resource Reservation Protocol (RSVP) agent software, and firewalls to restrict access. It describes the deployed test environments used during Cisco Unified Communications Release 5.0(2) testing for IP telephony systems, but does not contain detailed installation and configuration instructions.

This chapter includes the following sections:

•Quality of Service (QoS) Configuration

•Bandwidth Management Using RSVP Agents

•Firewall Security Configuration

Quality of Service (QoS) Configuration

This section provides sample configuration files that show how Quality of Service (QoS) settings were configured on selected switches and WAN routers during Cisco Unified Communications Release 5.0(2) testing for IP telephony. For the testing, QoS was configured on the following Cisco devices that passed VoIP traffic to and from SCCP, analog, and T1-PRI endpoints:

•Cisco 1760 modular access router

•Cisco 2651 and Cisco 2691 multiservice routers

•Cisco 3640 multiservice router

•Cisco 3725 and Cisco 3745 multiservice access routers

•Cisco 7206 router

•Cisco Catalyst 4506 switch

QoS was also configured on the following devices to test VoIP traffic to and from SIP, analog, and T1-PRI endpoints:

•Cisco 3745 multiservice access router

•Cisco 3845 router

•Cisco Catalyst 4506 switch

•Cisco 7206 router

•Cisco Catalyst 3550 switch

These devices were configured for QoS based on the recommendations in the Enterprise QoS Solution Reference Network Design Guide http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf. This document provides design considerations and guidelines for implementing Cisco QoS within an enterprise environment on specific Cisco router and Cisco Catalyst switch types.

Most devices tested during Cisco Unified Communications Release 5.0(2) were configured with Cisco AutoQoS. For additional information about AutoQos, see the "Quality of Service Commands" chapter in the Cisco IOS Quality of Service Solutions Command Reference at http://www.cisco.com/en/US/products/ps6441/products_command_reference_book09186a0080497066.html.

For general information on QoS on Cisco devices, see http://www.cisco.com/en/US/tech/tk543/tk759/tsd_technology_support_protocol_home.html.

This section includes portions of the configuration files for the following devices:

•Cisco 3745 Router Configuration

•Cisco Catalyst 4506 Switch Configuration

•Cisco 7206 Router Configuration

Cisco 3745 Router Configuration

This section shows a portion of the serial interface configuration for the Cisco 3745 router that was used in QoS testing. It demonstrates how to configure auto qos voip trust on the LAN-to-WAN edge using Cisco AutoQoS. For additional installation and configuration information, see the Cisco 3745 Multiservice Access Router documentation available at http://www.cisco.com/en/US/products/hw/routers/ps282/tsd_products_support_series_home.html.

class-map match-any AutoQoS-VoIP-RTP-Trust

 match ip dscp ef

class-map match-any AutoQoS-VoIP-Control-Trust

 match ip dscp cs3

 match ip dscp af31

policy-map AutoQoS-Policy-Trust

 class AutoQoS-VoIP-RTP-Trust

  priority percent 70

 class AutoQoS-VoIP-Control-Trust

  bandwidth percent 5

 class class-default

  fair-queue

controller T1 0/0

 framing esf

 linecode b8zs

 channel-group 1 timeslots 1-24 speed 64

interface Serial0/0:1

 description WAN connection to SJC-RFD-WAN-1 port 2/0/4

 no ip address

 encapsulation frame-relay

 no fair-queue

 frame-relay traffic-shaping

interface Serial0/0:1.1 point-to-point

 ip address 10.3.180.13 255.255.255.252

 frame-relay interface-dlci 104

  class AutoQoS-FR-Se0/0:1-104

  auto qos voip trust

map-class frame-relay AutoQoS-FR-Se0/0:1-104

 frame-relay cir 1536000

 frame-relay bc 15360

 frame-relay be 0

 frame-relay mincir 1536000

 service-policy output AutoQoS-Policy-Trust

logging trap debugging

logging facility local1

logging 10.3.2.129

rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drop

s" owner AutoQoS

Cisco Catalyst 4506 Switch Configuration

This section shows a portion of the configuration file for a Cisco Catalyst 4506 switch that was used in QoS testing. It demonstrates how to configure global QoS and the ports which were linked to Cisco Unified IP Phones. For additional installation and configuration information, see the Cisco Catalyst 4500 series documentation available at http://www.cisco.com/en/US/products/hw/switches/ps4324/tsd_products_support_series_home.html.

qos dbl

qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4

qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4

qos map cos 3 to dscp 26

qos map cos 5 to dscp 46

qos

policy-map autoqos-voip-policy

  class class-default

dbl

interface FastEthernet4/25

 description 7960 to SFO-ORD-103-2621

 switchport access vlan 903

 switchport trunk encapsulation dot1q

 switchport mode access

 switchport voice vlan 903

 load-interval 30

 qos trust device cisco-phone

 spanning-tree portfast trunk

 spanning-tree bpduguard enable

 spanning-tree guard root

interface FastEthernet4/26

 description description 7960 to SFO-ORD-103-2650

 switchport access vlan 903

 switchport mode access

 switchport voice vlan 903

 load-interval 30

 qos trust device cisco-phone

 tx-queue 3

   priority high

   shape percent 33

 spanning-tree portfast trunk

 spanning-tree bpduguard enable

 spanning-tree guard root

nterface FastEthernet4/28

 description 7970 to SFO-ORD-104-3745

 switchport access vlan 904

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport voice vlan 904

 load-interval 30

 qos trust device cisco-phone

 spanning-tree portfast trunk

 spanning-tree bpduguard enable

 spanning-tree guard root

Cisco 7206 Router Configuration

This section shows a portion of the configuration file for a Cisco 7206 core router that was used in QoS testing. It demonstrates how to configure auto qos voip trust on the WAN-to-LAN edge using Cisco AutoQoS. For additional installation and configuration information, see the Cisco 7200 series router documentation available at http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html.

class-map match-any AutoQoS-VoIP-RTP-Trust

 match ip dscp ef

class-map match-all going-pc

 match access-group 121

class-map match-any AutoQoS-VoIP-Control-Trust

 match ip dscp cs3

 match ip dscp af31

class-map match-all bla

 match ip rtp 16384 16383

policy-map AutoQoS-Policy-Trust

 class AutoQoS-VoIP-RTP-Trust

  priority percent 70

 class AutoQoS-VoIP-Control-Trust

  bandwidth percent 5

 class class-default

  fair-queue

interface Serial5/4:1

 no ip address

 encapsulation frame-relay

 no fair-queue

 no arp frame-relay

 frame-relay traffic-shaping

 frame-relay lmi-type ansi

 frame-relay intf-type dce

interface Serial5/4:1.1 point-to-point

 ip address 10.3.180.14 255.255.255.252

 no arp frame-relay

 frame-relay interface-dlci 104

  class AutoQoS-FR-Se5/4:1-104

  auto qos voip trust

interface Serial6/2:1

 no ip address

 encapsulation frame-relay

 no fair-queue

 no arp frame-relay

 frame-relay traffic-shaping

 frame-relay lmi-type ansi

 frame-relay intf-type dce

interface Serial6/2:1.1 point-to-point

 ip address 10.3.180.10 255.255.255.252

 no arp frame-relay

 frame-relay interface-dlci 103

  class AutoQoS-FR-Se6/2:1-103

  auto qos voip trust

map-class frame-relay AutoQoS-FR-Se5/4:1-104

 frame-relay cir 1536000

 frame-relay bc 15360

 frame-relay be 0

 frame-relay mincir 1536000

 service-policy output AutoQoS-Policy-Trust

map-class frame-relay AutoQoS-FR-Se6/2:1-103

 frame-relay cir 1536000

 frame-relay bc 15360

 frame-relay be 0

 frame-relay mincir 1536000

 service-policy output AutoQoS-Policy-Trust

rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner 
AutoQoS

Bandwidth Management Using RSVP Agents

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080615754.html#wp1008975

RSVP Configuration on Cisco Routers

Cisco Unified CallManager Configuration to Support RSVP

Firewall Security Configuration

-- Firewalls have been deployed in the SJC and DFW sites to protect network access to the datacenter devices. Object-groups and access-lists have been created and implemented based on the devices/IP's documented on the Columbus 1.0 Webpage, feedback from the team, and observations from the testing being performed on Thursday.

-- Object-groups are very key in simplifying changes to the firewalls as subnets and devices are added to the network. The majority of changes to the network that involve the currently defined types of devices can be changed as needed with only a modification to the object-group.

-- The full configurations are attached. The descriptive object-group names and the remarks within the ACLs should make it relatively easy to understand the intentions of most configuration items.

-- Commands to allow all traffic to/from a particular device:

object-group network BLINDLY-TRUSTED

network-object host <IP address>

-- Commands to allow all traffic through the FWSM or PIX

access-group ALLOW-ALL in interface inside

access-group ALLOW-ALL in interface outside

-- Commands to re-enable filtering traffic through the FWSM or PIX

access-group INSIDE-IN in interface inside

access-group OUTSIDE-IN in interface outside

-- SIP ports 5060-5062 for both udp and tcp are being allowed. If more SIP ports are added the 2 SIP-PORTS object groups will need to be updated.

-- We used the default policy maps. A fine tuning of the policy map may be necessary/useful.

Secure PIX Firewall Setup

-- Two PIX 535's added in transparent mode with Active / Standby failover.

-- PIX is only protecting VLAN 24 (10.3.24.0/23) in the "Datacenter"

Figure 18-1 Secure PIX Firewall Tested Topology

PIX Version 7.0(101)150

firewall transparent

hostname DFW-PIX-1

enable password ****************** encrypted

names

interface Ethernet0

 speed 100

 duplex full

 nameif outside

 security-level 0

interface Ethernet1

 speed 100

 duplex full

 nameif inside

 security-level 100

passwd 2KFQnbNIdI.2KYOU encrypted

boot system flash:/cdisk7.0.101.150

ftp mode passive

object-group service SIP-PORTS-TCP tcp

 port-object range sip 5062

object-group service PHONE-VOICE-TCP tcp

 description *** TCP protocols used by phones

 port-object eq 2000

 port-object eq 2443

 port-object eq ctiqbe

 port-object eq 8080

 group-object SIP-PORTS-TCP

object-group service SIP-PORTS-UDP udp

 port-object range sip 5062

object-group service PHONE-VOICE-UDP udp

 description *** UDP protocols used by phones

 port-object eq tftp

 port-object eq domain

 group-object SIP-PORTS-UDP

object-group service GW-VOICE-TCP tcp

 description *** TCP protocols used by voice gateways

 port-object eq 2428

 port-object eq h323

object-group service GW-VOICE-UDP udp

 description *** UDP protocols used by voice gateways

 port-object eq 1719

 port-object eq 2427

object-group service ALL-VOICE-TCP tcp

 group-object GW-VOICE-TCP

 group-object PHONE-VOICE-TCP

object-group service ALL-VOICE-UDP udp

 group-object GW-VOICE-UDP

 group-object PHONE-VOICE-UDP

object-group network MP

 network-object host 10.3.24.16

 network-object host 10.3.24.17

object-group network UNITYC

 network-object host 10.3.24.8

object-group network UNITY

 network-object host 10.3.24.13

 network-object host 10.3.24.15

object-group network EXCHG

 network-object host 10.3.24.12

 network-object host 10.3.24.14

object-group network IPNetfusion

 network-object host 10.3.26.13

 network-object host 10.3.26.14

object-group network KICKSTART

 network-object host 10.3.2.20

object-group network BLINDLY-TRUSTED

 group-object MP

 group-object UNITYC

 group-object UNITY

 group-object EXCHG

 group-object IPNetfusion

 group-object KICKSTART

object-group network EVERYONE

 network-object 10.0.0.0 255.0.0.0

object-group network IP-PHONES

 network-object 10.3.26.0 255.255.254.0

 network-object 10.3.181.0 255.255.255.0

 network-object 10.3.2.0 255.255.254.0

 network-object 10.9.207.128 255.255.255.192

 network-object 10.3.28.0 255.255.254.0

 network-object 10.3.30.0 255.255.254.0

 network-object 10.3.53.0 255.255.255.0

 network-object host 10.3.90.7

object-group network DFW-CCM

 network-object host 10.3.24.2

 network-object host 10.3.24.3

 network-object host 10.3.24.4

 network-object host 10.3.24.5

 network-object host 10.3.24.6

 network-object host 10.3.24.7

object-group network MOH-SRVR

 network-object host 10.3.24.7

object-group network SJC-CCM

 network-object host 10.9.10.4

 network-object host 10.9.14.4

 network-object host 10.9.10.5

 network-object host 10.9.14.5

 network-object host 10.9.10.6

 network-object host 10.9.14.6

 network-object host 10.9.10.7

object-group network RFD-CCM

 network-object host 10.9.20.2

 network-object host 10.9.20.3

 network-object host 10.9.20.4

 network-object host 10.9.20.5

 network-object host 10.9.20.6

 network-object host 10.9.20.7

object-group network SFO-CCM

 network-object host 10.9.30.3

 network-object host 10.9.30.4

 network-object host 10.9.30.5

 network-object host 10.9.30.6

 network-object host 10.9.30.7

 network-object host 10.9.30.8

 network-object host 10.9.30.9

object-group network ORD-CCM

 network-object host 10.9.40.3

 network-object host 10.9.40.4

 network-object host 10.9.40.5

 network-object host 10.9.40.6

 network-object host 10.9.40.7

 network-object host 10.9.40.8

 network-object host 10.9.40.9

object-group network NYC-CCM

 network-object host 10.3.60.2

 network-object host 10.3.60.3

object-group network RDU-CCM

 network-object host 10.3.90.5

 network-object host 10.3.90.6

object-group network ATL-CME

 network-object host 10.3.80.2

 network-object host 10.3.81.2

 network-object host 10.3.181.190

 network-object host 10.3.83.2

 network-object host 10.3.84.2

 network-object host 10.3.82.2

object-group network YYZ-CME

 network-object host 10.3.181.194

 network-object host 10.3.71.2

 network-object host 10.3.74.2

 network-object host 10.3.75.2

object-group service RTP udp

 port-object range 16384 32768

object-group network H323-GWS

 network-object host 10.3.24.9

 network-object host 10.9.12.12

 network-object host 10.9.22.20

 network-object 10.3.2.0 255.255.254.0

object-group network MGCP-GWS

 network-object host 10.3.26.100

 network-object host 10.3.26.102

 network-object 10.3.2.0 255.255.254.0

object-group network VOICE-GWS

 group-object H323-GWS

 group-object MGCP-GWS

object-group network DNS-SRVR

 network-object host 10.3.26.2

 network-object host 10.3.2.121

object-group network DHCP-SRVR

 network-object host 10.3.26.2

object-group network NETMGMT-SRVR

 network-object host 10.9.12.21

 network-object host 10.9.22.34

object-group network NTP-SRVR

 network-object host 10.3.24.1

 network-object host 10.3.2.100

object-group service ICC-TCP tcp

 description *** Inter-cluster communication

 port-object eq h323

 group-object SIP-PORTS-TCP

object-group network ADMIN-ACCESS

 network-object 10.3.2.0 255.255.254.0

 network-object 10.21.0.0 255.255.0.0

 network-object 10.25.0.0 255.255.0.0

 network-object 10.32.0.0 255.255.0.0

 network-object 10.77.0.0 255.255.0.0

 network-object 10.82.0.0 255.255.0.0

 network-object 10.89.0.0 255.255.0.0

 network-object 10.94.0.0 255.255.0.0

 network-object 64.0.0.0 255.0.0.0

 network-object 128.107.0.0 255.255.0.0

 network-object 171.0.0.0 255.0.0.0

 network-object 172.0.0.0 255.0.0.0

 network-object 192.0.0.0 255.0.0.0

 network-object 198.0.0.0 255.0.0.0

object-group service ADMIN-PORTS-TCP tcp

 port-object eq www

 port-object eq https

 port-object eq 8080

 port-object eq 8443

 port-object eq telnet

 port-object eq ssh

 port-object eq ftp

 port-object eq 445

 port-object eq 3389

 port-object eq 5900

 port-object eq ftp-data

object-group service ADMIN-PORTS-UDP udp

 port-object eq tftp

 port-object eq 20

object-group service ICC-UDP udp

 description *** Inter-cluster communication

 group-object SIP-PORTS-UDP

object-group network GKS-OUT

 network-object host 10.9.12.99

 network-object host 10.3.62.99

 network-object host 10.9.22.99

 network-object host 10.3.70.99

object-group service GK-TCP-UDP tcp-udp

 description *** Communications to GK

 port-object eq 1718

 port-object eq 1719

 port-object eq 1720

object-group service SRST-UDP udp

 port-object eq sip

object-group service SRST-TCP tcp

 port-object eq sip

object-group network SRST

 network-object host 10.3.181.201

 network-object host 10.3.181.205

object-group network SIP-PROXY

 network-object host 10.3.51.2

access-list ALLOW-ALL extended permit ip any any

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** OSPF

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit ospf any any

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** All ICMP traffic

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit icmp any any

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** NTP -- Not sure if both ports are 'ntp'

access-list INSIDE-IN remark *** Also we may not need one direction if there is a fixup.

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group NTP-SRVR eq ntp any eq ntp

access-list INSIDE-IN extended permit udp any eq ntp object-group NTP-SRVR eq ntp

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** DHCP and DNS

access-list INSIDE-IN remark *** DHCP setting assumes no hosts directly connected to FW

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group EVERYONE eq bootpc object-group 
DHCP-SRVR eq bootps

access-list INSIDE-IN extended permit udp object-group EVERYONE object-group DNS-SRVR eq 
domain

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Network Mgmt

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group NETMGMT-SRVR eq snmp object-group 
EVERYONE eq snmp

access-list INSIDE-IN extended permit udp object-group EVERYONE eq snmptrap object-group 
NETMGMT-SRVR eq snmptrap

access-list INSIDE-IN extended permit tcp object-group NETMGMT-SRVR object-group EVERYONE 
eq ssh

access-list INSIDE-IN extended permit udp object-group EVERYONE object-group NETMGMT-SRVR 
eq tftp

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Traffic between CCM clusters

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group SJC-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group RFD-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group SFO-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group ORD-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group NYC-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group RDU-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group ATL-CME 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group YYZ-CME 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group SIP-PROXY 
object-group ICC-TCP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group SJC-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group RFD-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group SFO-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group ORD-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group NYC-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group RDU-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group ATL-CME 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group YYZ-CME 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group SIP-PROXY 
object-group ICC-UDP

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark ***   ... between CCMs and GKs

access-list INSIDE-IN remark ***       (We could make the ports more granular.)

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group GKS-OUT 
object-group GK-TCP-UDP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group GKS-OUT 
object-group GK-TCP-UDP

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark ***  CCMs to SIP Proxied phones

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group IP-PHONES 
object-group SIP-PORTS-TCP

access-list INSIDE-IN extended permit udp object-group DFW-CCM object-group IP-PHONES 
object-group SIP-PORTS-UDP

access-list INSIDE-IN remark ***********************************************

access-list INSIDE-IN remark *** Workarounds; outside of Security Policy ***

access-list INSIDE-IN remark ***********************************************

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** CSCsc11305 ICT & GK

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group SJC-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group RFD-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group SFO-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group ORD-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group NYC-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group RDU-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group ATL-CME range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group DFW-CCM object-group YYZ-CME range 
32768 65535

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** CSCsc55543 MOH & SIP

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group MOH-SRVR object-group RTP 
object-group EVERYONE object-group RTP

access-list INSIDE-IN remark ***************************************************

access-list INSIDE-IN remark *** For convenience; outside of Security Policy ***

access-list INSIDE-IN remark ***************************************************

access-list INSIDE-IN remark *** Allow everything from blindly trusted sources until port 
use is determined

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit ip object-group BLINDLY-TRUSTED any

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Allow Telnet Everywhere

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp any any eq telnet

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Allow Admin access

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp any object-group ADMIN-ACCESS object-group 
ADMIN-PORTS-TCP

access-list INSIDE-IN extended permit udp any object-group ADMIN-ACCESS object-group 
ADMIN-PORTS-UDP

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Nothing else shall pass here

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended deny ip any any

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** OSPF

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit ospf any any

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** All ICMP traffic

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit icmp any any

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** NTP -- Not sure if both ports are 'ntp'

access-list OUTSIDE-IN remark *** Also we may not need one direction if there is a fixup.

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit udp object-group NTP-SRVR eq ntp any eq ntp

access-list OUTSIDE-IN extended permit udp any eq ntp object-group NTP-SRVR eq ntp

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Network mgmt

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit udp object-group NETMGMT-SRVR eq snmp object-group 
EVERYONE eq snmp

access-list OUTSIDE-IN extended permit udp object-group EVERYONE eq snmptrap object-group 
NETMGMT-SRVR eq snmptrap

access-list OUTSIDE-IN extended permit tcp object-group NETMGMT-SRVR object-group EVERYONE 
eq ssh

access-list OUTSIDE-IN extended permit udp object-group EVERYONE object-group NETMGMT-SRVR 
eq tftp

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Voice protocols from phones to CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group IP-PHONES object-group DFW-CCM 
object-group PHONE-VOICE-TCP

access-list OUTSIDE-IN extended permit udp object-group IP-PHONES object-group DFW-CCM 
object-group PHONE-VOICE-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Voice protocols from gateways to other gateways and CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group VOICE-GWS object-group DFW-CCM 
object-group GW-VOICE-TCP

access-list OUTSIDE-IN extended permit udp object-group VOICE-GWS object-group DFW-CCM 
object-group GW-VOICE-UDP

access-list OUTSIDE-IN extended permit tcp object-group VOICE-GWS object-group VOICE-GWS 
object-group GW-VOICE-TCP

access-list OUTSIDE-IN extended permit udp object-group VOICE-GWS object-group VOICE-GWS 
object-group GW-VOICE-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** ICT communication

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group SJC-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group RFD-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group SFO-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group ORD-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group NYC-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group RDU-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group ATL-CME object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group YYZ-CME object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group SIP-PROXY object-group DFW-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit udp object-group SJC-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group RFD-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group SFO-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group ORD-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group NYC-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group RDU-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group ATL-CME object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group YYZ-CME object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group SIP-PROXY object-group DFW-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** SRST servers to CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group SRST object-group DFW-CCM 
object-group SRST-TCP

access-list OUTSIDE-IN extended permit udp object-group SRST object-group DFW-CCM 
object-group SRST-UDP

access-list OUTSIDE-IN remark ***********************************************

access-list OUTSIDE-IN remark *** Workarounds; outside of Security Policy ***

access-list OUTSIDE-IN remark ***********************************************

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** CSCsc11305 ICT & GK

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group SJC-CCM object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group RFD-CCM object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group SFO-CCM object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group ORD-CCM object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group NYC-CCM object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group RDU-CCM object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group ATL-CME object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group YYZ-CME object-group DFW-CCM range 
32768 65535

access-list OUTSIDE-IN remark ***************************************************

access-list OUTSIDE-IN remark *** For convenience; outside of Security Policy ***

access-list OUTSIDE-IN remark ***************************************************

access-list OUTSIDE-IN remark *** Allow everything from blindly trusted sources until port 
use is determined

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit ip any object-group BLINDLY-TRUSTED

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Allow Telnet Everywhere

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp any any eq telnet

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Allow Admin access

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group ADMIN-ACCESS any object-group 
ADMIN-PORTS-TCP

access-list OUTSIDE-IN extended permit udp object-group ADMIN-ACCESS any object-group 
ADMIN-PORTS-UDP

access-list OUTSIDE-IN remark *** Nothing else shall pass here

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 40000

logging buffered debugging

logging trap debugging

logging host outside 10.3.2.129

mtu outside 1500

mtu inside 1500

ip address 10.3.24.18 255.255.254.0 standby 10.3.24.19

failover

failover polltime unit 1 holdtime 3

no asdm history enable

arp timeout 14400

access-group OUTSIDE-IN in interface outside

access-group INSIDE-IN in interface inside

route outside 0.0.0.0 0.0.0.0 10.3.24.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

 match default-inspection-traffic

policy-map asa_global_fw_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

service-policy asa_global_fw_policy global

ntp server 10.3.26.1

: end

Firewall Services Module (FWSM) Configuration

-- Two FWSM's added in routed mode with Active/Standby failover

-- FWSM is protecting VLANs 10, 12, 14, 16 in the "Datacenter"

Figure 18-2 Firewall Service Module (FWSM) Tested Topology

SJC-RFD-FWSM-1(config)# sh run

: Saved

FWSM Version 3.1(0)118

hostname SJC-RFD-FWSM-1

enable password ******************* encrypted

names

interface Vlan8

 nameif outside

 security-level 0

 ip address 10.9.8.3 255.255.255.0 standby 10.9.8.4

interface Vlan9

 nameif inside

 security-level 100

 ip address 10.9.9.3 255.255.255.0 standby 10.9.9.4

interface Vlan11

 description LAN Failover Interface

interface Vlan13

 description STATE Failover Interface

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group service SIP-PORTS-TCP tcp

 port-object range sip 5062

object-group service ICC-TCP tcp

 description *** Inter-cluster communication

 port-object eq h323

 group-object SIP-PORTS-TCP

object-group service SIP-PORTS-UDP udp

 port-object range sip 5062

object-group service ICC-UDP udp

 description *** Inter-cluster communication

 group-object SIP-PORTS-UDP

object-group service GK-TCP-UDP tcp-udp

 description *** Communications to GK

 port-object eq 1718

 port-object eq 1719

 port-object eq 1720

object-group service PHONE-VOICE-TCP tcp

 description *** TCP protocols used by phones

 port-object eq 2000

 port-object eq 2443

 port-object eq ctiqbe

 port-object eq 8080

 group-object SIP-PORTS-TCP

object-group service PHONE-VOICE-UDP udp

 description *** UDP protocols used by phones

 port-object eq tftp

 port-object eq domain

 group-object SIP-PORTS-UDP

object-group service H323-GW-TCP tcp

 port-object eq h323

 port-object eq 2000

object-group service MGCP-GW-TCP tcp

 port-object eq 2428

 port-object eq 2000

object-group service SRST-TCP tcp

 group-object H323-GW-TCP

 group-object MGCP-GW-TCP

 port-object eq sip

object-group service H323-GW-UDP udp

 port-object eq 1719

object-group service MGCP-GW-UDP udp

 port-object eq 2427

 port-object eq tftp

object-group service SRST-UDP udp

 group-object H323-GW-UDP

 group-object MGCP-GW-UDP

 port-object eq sip

object-group service RTP udp

 port-object range 16384 32768

object-group network MP

 network-object host 10.9.16.11

 network-object host 10.9.16.7

 network-object host 10.9.16.8

 network-object host 10.9.16.9

 network-object host 10.9.16.10

 network-object host 10.9.12.12

object-group network CER

 network-object host 10.9.14.12

object-group network UNITY

 network-object host 10.9.10.12

 network-object host 10.9.10.13

 network-object host 10.9.14.13

object-group network EXCHG

 network-object host 10.9.10.8

 network-object host 10.9.10.9

 network-object host 10.9.10.10

 network-object host 10.9.10.11

 network-object host 10.9.14.8

 network-object host 10.9.14.9

 network-object host 10.9.14.10

 network-object host 10.9.14.11

object-group network FAX

 network-object host 10.9.14.7

 network-object host 10.9.14.16

object-group network PRES

 network-object host 10.9.12.7

object-group network DCS

 network-object host 10.9.12.5

 network-object host 10.9.12.6

object-group network BLINDLY-TRUSTED

 group-object MP

 group-object CER

 group-object UNITY

 group-object EXCHG

 group-object FAX

 group-object PRES

 group-object DCS

object-group network EVERYONE

 network-object 10.0.0.0 255.0.0.0

object-group network MOH-SRVR

 network-object host 10.9.10.7

object-group network NTP-SRVR

 network-object 10.9.8.0 255.255.255.0

object-group network NETMGMT-SRVR

 network-object host 10.9.12.21

 network-object host 10.9.22.34

 network-object host 172.18.143.115

object-group network DNS-SRVR-OUT

 network-object host 10.9.20.11

object-group network DNS-SRVR-IN

 network-object host 10.9.12.4

 network-object host 10.9.12.5

 network-object host 10.9.12.6

object-group network DHCP-SRVR-IN

 network-object host 10.9.12.4

object-group network GKS-OUT

 network-object host 10.9.22.99

 network-object host 10.3.62.99

 network-object host 10.3.70.99

object-group network GKS-IN

 network-object host 10.9.12.99

object-group network MGCP-GWS-OUT

 network-object 10.9.128.32 255.255.255.240

 network-object 10.9.128.48 255.255.255.240

 network-object 10.9.128.64 255.255.255.224

 network-object 10.9.128.96 255.255.255.224

 network-object 10.9.128.128 255.255.255.240

 network-object 10.9.129.0 255.255.255.240

 network-object 10.9.129.16 255.255.255.240

 network-object 10.9.129.32 255.255.255.240

 network-object 10.9.129.48 255.255.255.240

 network-object 10.9.129.64 255.255.255.224

 network-object 10.9.129.96 255.255.255.224

 network-object 10.9.130.0 255.255.255.240

 network-object 10.9.130.16 255.255.255.240

 network-object 10.9.130.32 255.255.255.240

 network-object 10.9.130.64 255.255.255.240

 network-object 10.9.130.96 255.255.255.224

 network-object 10.9.207.0 255.255.255.240

 network-object 10.9.207.16 255.255.255.240

 network-object 10.9.207.32 255.255.255.240

 network-object 10.9.207.48 255.255.255.240

 network-object 10.9.207.96 255.255.255.224

 network-object 10.9.208.0 255.255.255.240

 network-object 10.9.208.16 255.255.255.240

 network-object 10.9.208.32 255.255.255.240

 network-object 10.9.208.48 255.255.255.240

 network-object 10.9.208.96 255.255.255.224

 network-object 10.9.209.0 255.255.255.240

 network-object 10.9.208.64 255.255.255.240

 network-object 10.9.209.16 255.255.255.240

 network-object 10.9.209.32 255.255.255.240

 network-object 10.9.209.48 255.255.255.240

 network-object 10.9.209.64 255.255.255.240

 network-object 10.9.130.48 255.255.255.240

 network-object host 10.9.22.2

 network-object host 10.9.227.250

 network-object host 10.9.241.248

object-group network H323-GWS-OUT

 network-object host 10.3.28.2

 network-object host 10.9.128.139

 network-object host 10.9.128.140

 network-object host 10.9.207.20

 network-object host 10.9.207.98

 network-object host 10.9.208.98

 network-object host 10.9.22.26

 network-object host 10.9.40.11

 network-object 10.9.128.128 255.255.255.240

object-group network H323-GWS-IN

 network-object host 10.9.14.14

object-group network DFW-CCM

 network-object host 10.3.24.2

 network-object host 10.3.24.3

 network-object host 10.3.24.4

 network-object host 10.3.24.5

 network-object host 10.3.24.6

 network-object host 10.3.24.7

object-group network SJC-CCM

 network-object host 10.9.10.4

 network-object host 10.9.14.4

 network-object host 10.9.10.5

 network-object host 10.9.14.5

 network-object host 10.9.10.6

 network-object host 10.9.14.6

 network-object host 10.9.10.7

object-group network RFD-CCM

 network-object host 10.9.20.2

 network-object host 10.9.20.3

 network-object host 10.9.20.4

 network-object host 10.9.20.5

 network-object host 10.9.20.6

 network-object host 10.9.20.7

object-group network SFO-CCM

 network-object host 10.9.30.3

 network-object host 10.9.30.4

 network-object host 10.9.30.5

 network-object host 10.9.30.6

 network-object host 10.9.30.7

 network-object host 10.9.30.8

 network-object host 10.9.30.9

object-group network ORD-CCM

 network-object host 10.9.40.3

 network-object host 10.9.40.4

 network-object host 10.9.40.5

 network-object host 10.9.40.6

 network-object host 10.9.40.7

 network-object host 10.9.40.8

 network-object host 10.9.40.9

object-group network NYC-CCM

 network-object host 10.3.60.2

 network-object host 10.3.60.3

object-group network RDU-CCM

 network-object host 10.3.90.5

 network-object host 10.3.90.6

object-group network ATL-CME

 network-object host 10.3.80.2

 network-object host 10.3.81.2

 network-object host 10.3.181.190

 network-object host 10.3.83.2

 network-object host 10.3.84.2

 network-object host 10.3.82.2

object-group network YYZ-CME

 network-object host 10.3.181.194

 network-object host 10.3.71.2

 network-object host 10.3.74.2

 network-object host 10.3.75.2

object-group network SRST

 network-object host 10.9.28.2

 network-object host 10.9.38.1

object-group network IP-PHONES

 network-object 10.9.82.0 255.255.254.0

 network-object 10.9.84.0 255.255.254.0

 network-object 10.9.86.0 255.255.254.0

 network-object 10.9.88.0 255.255.254.0

 network-object 10.9.90.0 255.255.254.0

 network-object 10.9.92.0 255.255.254.0

 network-object 10.9.94.0 255.255.254.0

 network-object 10.9.98.0 255.255.254.0

 network-object 10.9.100.0 255.255.254.0

 network-object 10.9.102.0 255.255.254.0

 network-object 10.9.104.0 255.255.254.0

 network-object 10.9.106.0 255.255.254.0

 network-object 10.9.108.0 255.255.254.0

 network-object 10.9.112.0 255.255.254.0

 network-object 10.9.114.0 255.255.254.0

 network-object 10.9.116.0 255.255.254.0

 network-object 10.9.118.0 255.255.254.0

 network-object 10.9.120.0 255.255.254.0

 network-object 10.9.122.0 255.255.254.0

 network-object 10.9.124.0 255.255.254.0

 network-object 10.9.210.0 255.255.254.0

 network-object 10.9.212.0 255.255.254.0

 network-object 10.9.214.0 255.255.254.0

 network-object 10.9.216.0 255.255.254.0

 network-object 10.9.218.0 255.255.254.0

 network-object 10.9.220.0 255.255.254.0

 network-object 10.9.222.0 255.255.254.0

 network-object 10.9.226.0 255.255.254.0

 network-object 10.9.228.0 255.255.254.0

 network-object 10.9.230.0 255.255.254.0

 network-object 10.9.232.0 255.255.254.0

 network-object 10.9.234.0 255.255.254.0

 network-object 10.9.236.0 255.255.254.0

 network-object 10.9.240.0 255.255.254.0

 network-object 10.9.242.0 255.255.254.0

 network-object 10.9.244.0 255.255.254.0

 network-object 10.9.246.0 255.255.254.0

 network-object 10.9.248.0 255.255.254.0

 network-object 10.9.250.0 255.255.254.0

 network-object 10.9.252.0 255.255.254.0

 network-object 10.9.28.0 255.255.255.0

 network-object 10.9.38.0 255.255.255.0

 network-object 10.9.142.0 255.255.255.0

 network-object 10.9.96.0 255.255.254.0

object-group network SIP-PROXY

 network-object host 10.3.51.2

access-list mode auto-commit

access-list ALLOW-ALL extended permit ip any any

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** All ICMP traffic

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit icmp object-group EVERYONE object-group EVERYONE

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** NTP -- Not sure if both ports are 'ntp'

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group EVERYONE eq ntp object-group 
NTP-SRVR eq ntp

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** DHCP and DNS

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group EVERYONE object-group DNS-SRVR-OUT 
eq domain

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Network Mgmt

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group NETMGMT-SRVR eq snmp object-group 
EVERYONE eq snmp

access-list INSIDE-IN extended permit udp object-group EVERYONE eq snmptrap object-group 
NETMGMT-SRVR eq snmptrap

access-list INSIDE-IN extended permit tcp object-group NETMGMT-SRVR object-group EVERYONE 
eq ssh

access-list INSIDE-IN extended permit udp object-group EVERYONE object-group NETMGMT-SRVR 
eq tftp

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Traffic between CCM clusters

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group DFW-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group SFO-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group ORD-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group NYC-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group RDU-CCM 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group ATL-CME 
object-group ICC-TCP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group YYZ-CME 
object-group ICC-TCP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group DFW-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group SFO-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group ORD-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group NYC-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group RDU-CCM 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group ATL-CME 
object-group ICC-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group YYZ-CME 
object-group ICC-UDP

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** COW traffic

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group RFD-CCM

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group RFD-CCM

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** H323...

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark ***   ... CCM to GW

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group H323-GWS-OUT 
eq h323

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark ***   ... inside GW to remote CCM

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group H323-GWS-IN object-group RFD-CCM 
object-group H323-GW-TCP

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark ***   ... between CCMs and GKs

access-list INSIDE-IN remark ***       (We could make the ports more granular.)

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group GKS-IN object-group GKS-OUT 
object-group GK-TCP-UDP

access-list INSIDE-IN extended permit udp object-group GKS-IN object-group GKS-OUT 
object-group GK-TCP-UDP

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group GKS-OUT 
object-group GK-TCP-UDP

access-list INSIDE-IN extended permit udp object-group SJC-CCM object-group GKS-OUT 
object-group GK-TCP-UDP

access-list INSIDE-IN remark ***********************************************

access-list INSIDE-IN remark *** Workarounds; outside of Security Policy ***

access-list INSIDE-IN remark ***********************************************

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** CSCsc11305 ICT & GK

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group DFW-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group RFD-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group SFO-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group ORD-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group NYC-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group RDU-CCM range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group ATL-CME range 
32768 65535

access-list INSIDE-IN extended permit tcp object-group SJC-CCM object-group YYZ-CME range 
32768 65535

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** CSCsc55543 MOH & SIP

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit udp object-group MOH-SRVR object-group RTP 
object-group EVERYONE object-group RTP

access-list INSIDE-IN remark ***************************************************

access-list INSIDE-IN remark *** For convenience; outside of Security Policy ***

access-list INSIDE-IN remark ***************************************************

access-list INSIDE-IN remark *** Allow everything from blindly trusted sources until port 
use is determined

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit ip object-group BLINDLY-TRUSTED any

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Allow telnet everywhere

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended permit tcp any any eq telnet

access-list INSIDE-IN remark ***

access-list INSIDE-IN remark *** Nothing else shall pass here

access-list INSIDE-IN remark ***

access-list INSIDE-IN extended deny ip any any

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** All ICMP traffic

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit icmp object-group EVERYONE object-group EVERYONE

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Network mgmt

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit udp object-group NETMGMT-SRVR eq snmp object-group 
EVERYONE eq snmp

access-list OUTSIDE-IN extended permit udp object-group NETMGMT-SRVR eq 1438 object-group 
EVERYONE eq snmp

access-list OUTSIDE-IN extended permit udp object-group EVERYONE eq snmptrap object-group 
NETMGMT-SRVR eq snmptrap

access-list OUTSIDE-IN extended permit tcp object-group NETMGMT-SRVR object-group EVERYONE 
eq ssh

access-list OUTSIDE-IN extended permit udp object-group EVERYONE object-group NETMGMT-SRVR 
eq tftp

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** DHCP and DNS

access-list OUTSIDE-IN remark *** DHCP setting assumes no hosts directly connected to FW

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit udp object-group EVERYONE eq bootps object-group 
DHCP-SRVR-IN eq bootps

access-list OUTSIDE-IN extended permit udp object-group EVERYONE object-group DNS-SRVR-IN 
eq domain

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** Voice protocols from phones to CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group IP-PHONES object-group SJC-CCM 
object-group PHONE-VOICE-TCP

access-list OUTSIDE-IN extended permit udp object-group IP-PHONES object-group SJC-CCM 
object-group PHONE-VOICE-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** ICT communication

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group DFW-CCM object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group SFO-CCM object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group ORD-CCM object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group NYC-CCM object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group RDU-CCM object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group ATL-CME object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit tcp object-group YYZ-CME object-group SJC-CCM 
object-group ICC-TCP

access-list OUTSIDE-IN extended permit udp object-group DFW-CCM object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group SFO-CCM object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group ORD-CCM object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group NYC-CCM object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group RDU-CCM object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group ATL-CME object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN extended permit udp object-group YYZ-CME object-group SJC-CCM 
object-group ICC-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** COW traffic

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group RFD-CCM object-group SJC-CCM

access-list OUTSIDE-IN extended permit udp object-group RFD-CCM object-group SJC-CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** SRST servers to CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group SRST object-group SJC-CCM 
object-group SRST-TCP

access-list OUTSIDE-IN extended permit udp object-group SRST object-group SJC-CCM 
object-group SRST-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** MGCP gateways to CCM

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group MGCP-GWS-OUT object-group SJC-CCM 
object-group MGCP-GW-TCP

access-list OUTSIDE-IN extended permit udp object-group MGCP-GWS-OUT object-group SJC-CCM 
object-group MGCP-GW-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** H323...

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark ***   ... GW to CCM

access-list OUTSIDE-IN remark ***       (We could make the source address more granular.)

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group H323-GWS-OUT object-group SJC-CCM 
object-group H323-GW-TCP

access-list OUTSIDE-IN extended permit udp object-group H323-GWS-OUT object-group SJC-CCM 
object-group H323-GW-UDP

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark ***   ... between CCMs and GKs

access-list OUTSIDE-IN remark ***       (We could make the ports more granular.)

access-list OUTSIDE-IN remark ***       (We could make the source address more granular.)

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group EVERYONE object-group GKS-IN 
object-group GK-TCP-UDP

access-list OUTSIDE-IN extended permit udp object-group EVERYONE object-group GKS-IN 
object-group GK-TCP-UDP

access-list OUTSIDE-IN remark ***********************************************

access-list OUTSIDE-IN remark *** Workarounds; outside of Security Policy ***

access-list OUTSIDE-IN remark ***********************************************

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN remark *** CSCsc11305 ICT & GK

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit tcp object-group DFW-CCM object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group RFD-CCM object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group SFO-CCM object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group ORD-CCM object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group NYC-CCM object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group RDU-CCM object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group ATL-CME object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN extended permit tcp object-group YYZ-CME object-group SJC-CCM range 
32768 65535

access-list OUTSIDE-IN remark ***************************************************

access-list OUTSIDE-IN remark *** For convenience; outside of Security Policy ***

access-list OUTSIDE-IN remark ***************************************************

access-list OUTSIDE-IN remark *** Allow everything from blindly trusted sources until port 
use is determined

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended permit ip any object-group BLINDLY-TRUSTED

access-list OUTSIDE-IN remark *** Nothing else shall pass here

access-list OUTSIDE-IN remark ***

access-list OUTSIDE-IN extended deny ip any any

access-list tmp extended permit udp host 1.1.1.1 eq bootps host 1.1.1.1 eq bootps

no pager

logging enable

logging standby

logging buffered debugging

logging trap debugging

logging host outside 10.3.2.129

logging debug-trace

mtu outside 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface flan Vlan11

failover polltime unit 1 holdtime 5

failover link flin Vlan13

failover interface ip flan 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover interface ip flin 1.1.1.5 255.255.255.252 standby 1.1.1.6

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group OUTSIDE-IN in interface outside

access-group INSIDE-IN in interface inside

route outside 172.18.143.115 255.255.255.255 10.9.8.1 1

route outside 10.3.2.204 255.255.255.255 10.9.8.1 1

route outside 10.3.2.129 255.255.255.255 10.9.8.1 1

router ospf 1

 network 10.0.0.0 255.0.0.0 area 9

 area 9 stub no-summary

 log-adj-changes

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 non_TCP_UDP 0:02:00

timeout uauth 0:05:00 absolute

username cisco password *************** encrypted

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

snmp-server host inside 10.9.12.21 community public version 2c

snmp-server host outside 10.9.22.34 community public version 2c

snmp-server host outside 172.18.143.115 community public version 2c

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-ipsec

telnet timeout 5

ssh 10.3.2.0 255.255.255.0 outside

ssh timeout 30

console timeout 0

class-map inspection_default

 match default-inspection-traffic

class-map default

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect smtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

service-policy global_policy global

prompt hostname context

: end

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

Quality of Service, Bandwidth Management and Security Configuration

Available Languages

Download Options

Bias-Free Language

Table Of Contents

Quality of Service, Bandwidth Management, and Security Configuration

Quality of Service (QoS) Configuration

Cisco 3745 Router Configuration

Cisco Catalyst 4506 Switch Configuration

Cisco 7206 Router Configuration

Bandwidth Management Using RSVP Agents

RSVP Configuration on Cisco Routers

Cisco Unified CallManager Configuration to Support RSVP

Firewall Security Configuration

Secure PIX Firewall Setup

Firewall Services Module (FWSM) Configuration

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products