08-20-2013 01:36 PM - edited 03-11-2019 07:28 PM
Hi All
I am hoping someone is able to help me with the following, I have checked the Cisco site to no avail.
We have a requirement to disable H323 inspection on a set of access-list on the Cisco ASA firewall for a video conferencing solution however the firewall still needs to have it enabled as part of the default inspection policy.
Any help much appreciated.
Thanks MJ
08-20-2013 09:13 PM
Create a class-map with an access list match criterion that excludes the network addresses you don't want inspected and then tell a policy map to inspect using the H.323. inspection the traffic that matches that class-map.
Apply to the appropriate interface with a service policy.
08-23-2013 10:35 AM
Hi Marvin
Thank you for the information. The dynamic nature of the H323 does anyone know how the access list would look?
Thanks MJ
08-23-2013 11:29 AM
You could do something like the following:
access-list filter-list extended deny tcp 1.1.1.0 255.255.255.0 any eq h323
access-list filter-list extended deny udp 1.1.1.0 255.255.255.0 any range 1718 1719
access-list filter-list extended permit tcp any any eq h323
access-list filter-list extended permit udp any any range 1718 1719
Then apply it to the global policy map.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: