Solved: Re: ASA 9.6 Global Inspect Policy

karamalomari · ‎01-03-2023

class-map global-class
match access-list global_mpc
class-map outside_policy1
match access-list outside_policy
class-map class_sip_tcp
match port tcp eq sip
class-map outside_policy
match access-list outside_policy
class-map testing
!
policy-map type inspect h323 RRQ-RCF-INSPECTION
parameters
policy-map outside_policy
class outside_policy
inspect h323 h225
class outside_policy1
inspect h323 ras
policy-map type inspect dcerpc WSUS_Test
parameters
timeout pinhole 0:30:00
match uuid ms-rpc-epm
log
match uuid ms-rpc-isystemactivator
log
match uuid ms-rpc-oxidresolver
log
policy-map global-policy
class inspection_default
inspect ftp
inspect skinny
inspect sqlnet
inspect sip
inspect rtsp
inspect icmp
inspect icmp error
inspect tftp
inspect h323 h225
inspect h323 ras
class class_sip_tcp
inspect sip
class global-class
inspect dcerpc WSUS_Test
class class-default
user-statictics accounting
!
service-policy global_policy global
!

This policy is inspecting (h323 h225 & h323 ras) which is needed by our VC service but is impacting VoIP services.
Is there a way to keep (h323 h225 & h323 ras) as a global policy and create another inspect policy and apply it ONLY to specific policies?

balaji.bandi · ‎01-04-2023

In general technically inspecting voice traffic have other effect, to fix the issue, you should not inspect that voip traffic, until you have any reason to inspect.

if you looking to custom, you need to create one and attached to interface and test it.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/inspect-service-policy.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MHM Cisco World · ‎01-04-2023

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Inspection of Voice and Video Protocols [Cisco ASA 5500-X Series Firewalls] - Cisco

I dont get what class map you use but refere to above link how you can config H323 inspection.

View solution in original post

Marius Gunnerud · ‎01-05-2023

Yes, so long as you are able to create a match criteria that will just match on the VOIP traffic or whatever other traffic you want a different inspection policy for. Just create a new class-map for your matching and then place that in the global policy map with the inspection settings you want. Then when traffic is being matched, this "user defined" class will be checked for a match first before going to the inspection_default class.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

balaji.bandi · ‎01-04-2023

In general technically inspecting voice traffic have other effect, to fix the issue, you should not inspect that voip traffic, until you have any reason to inspect.

if you looking to custom, you need to create one and attached to interface and test it.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/firewall/asdm-76-firewall-config/inspect-service-policy.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-04-2023

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Inspection of Voice and Video Protocols [Cisco ASA 5500-X Series Firewalls] - Cisco

I dont get what class map you use but refere to above link how you can config H323 inspection.

Marius Gunnerud · ‎01-05-2023

Yes, so long as you are able to create a match criteria that will just match on the VOIP traffic or whatever other traffic you want a different inspection policy for. Just create a new class-map for your matching and then place that in the global policy map with the inspection settings you want. Then when traffic is being matched, this "user defined" class will be checked for a match first before going to the inspection_default class.

--
Please remember to select a correct answer and rate helpful posts

karamalomari · ‎02-02-2023

So basically in the default inspect policy I need to keep both inspect h323 h225 & inspect h323 ras, but I will create a custom policy to remove inspect h323 h225 & inspect h323 ras and apply it on the interface.

The question now both Video Devices & IP Phone traffic are coming through the same interface which is the outside, so if I keep the default inspect policy and create a custom one for IP Phones and apply it on the outside interface? Video call will go with the default inspect policy and IP Phone will match the custom inspect policy? Is this is right?