Objective
Configure a Cisco ASA 5505 router for use with 8x8 services.
Applies To
- Cisco ASA 5505 Routers
Procedure
Cisco ASA 5505 Router
Administrative Information
- Make sure your router is powered on and connected to your network.
- In a browser on a computer on the same network as the router, navigate to the following IP address: 192.168.1.1.
- Log in (default credentials shown below).
- Username: <blank>
- Password: <enable_password>
Tested on firmware version 8.2 (1).
Adding/editing 8x8 subnets is recommended when available. Review the Traffic Shaping and Specific Subnet/Port Configuration section of X Series Technical Requirements.
The purpose of this article is to provide a sample configuration. At the time of article creation, this device was in a known working state on the firmware used.
Keep in mind different firmware versions will interact with hosted VoIP services in different ways. While this device may be fully functional on the tested and/or current firmware version, it is possible newer revisions will cause disruptions in service or make a device fully compliant with the required settings for hosted VoIP services where it was previously not.
Set up IP Address
- Go to Configuration > Device Setup > Interfaces.
- Click Add button on the right side of the screen to add an interface. The Edit Interface settings will appear on your screen.
- Under Switch Ports select Ethernet 1/0. Click the Add button to add this Ethernet port to the Selected Switch Ports.
- Set the Interface Name and click the box next Enable Interface.
- Select the Use PPoE option in the IP Address section.
- Set the following values for the IP Address:
- Group Name
- PPoE Username
- PPoE Password
- Confirm Password
- Select PAP for the PPP Authentication field.
- Check the box at the bottom of the IP Address section to Store Username and Password in Local Flash.
- Click OK to apply these settings.
Edit Device Interfaces
- Go to the Advanced tab in the Edit Interface settings.
- Set the MTU to 1492.
- Click OK.
Configure Access Rules
- Go to Configuration > Firewall > Access Rules.
- Add the 8x8 subnets by clicking the Add button under the Addresses tab on the right side of the screen.
- Set the values below for the Access Rules for all the 8x8 subnets.
- Click Apply.
ACL Manager
- Go to Configuration > Firewall > ACL Manager.
- Add the values below by clicking Add. Ensure that you click the Enable checkbox for each line.
- Click Apply.
Add Network Objects
Note: 8x8 subnets can be found in X Series Technical Requirements.
- Go to Configuration > Firewall > Objects > Network Objects/Groups.
- Add the IP Addresses and 8x8 subnets listed in the link above by clicking the Add button.
- Click Apply.
Configure Policy Rules
- Go to Configuration > Firewall > Service Policy Rules.
- Set the values listed below for the Outside Interface and the Global Policy.
- Click Apply.
- Select the first service policy rule for COS1_traffic.
- Check the box next to Source and Destination IP Address (uses ACL) in the Traffic Criteria section.
- Click OK.
- Select the row for outside-class.
- Check the box next to Any Traffic under the Traffic Match Criteria section in the pop-up settings window.
- Click OK.
- Click Apply.
Set Rule Actions
- Go to the Rule Actions tab in the Edit Service Policy Settings window.
- Select the QoS tab.
- Check the box to Enable Policing.
- Select the checkboxes next to Input Policing and Output Policing.
- Set the values below for Input Policing and Output Policing.
- Click OK.
- Click Apply.
Session Timers, Ports, Subnets, and DSCP Values for Cisco Routers
Configure the UDP and TCP time out values per the X Series Technical Requirements documentation.
- UDP session timer: 300 seconds
- TCP session timer (TLS connections only, port 5443): 300 - 700 seconds
Information on configuring these settings is available from Cisco.
Here are some values users can add to their Cisco configuration file. If subnets are set to high priority or open, specific UDP traffic passing through those subnets does not need to be listed individually.
Under Class Definitions, add:
- match access-group 2000
- match access-group 2001
- match access-group 2003
Under Access List Definitions, add:
- access-list 2000 permit udp any any dscp ef
- access-list 2001 permit udp any any dscp af31
- access-list 2003 permit udp any 192.84.16.0 0.0.0.255
- access-list 2003 permit udp any 192.84.18.0 0.0.0.255
- access-list 2003 permit udp any 8.28.0.0 0.0.1.255
- access-list 2003 permit udp any 217.163.57.0 0.0.0.255
- access-list 2003 permit udp 192.84.16.0 0.0.0.255 any
- access-list 2003 permit udp 192.84.18.0 0.0.0.255 any
- access-list 2003 permit udp 8.28.0.0 0.0.1.255 any
- access-list 2003 permit udp 217.163.57.0 0.0.0.255 any