ASA H323 inspection

mj11 · ‎08-20-2013

Hi All

I am hoping someone is able to help me with the following, I have checked the Cisco site to no avail.

We have a requirement to disable H323 inspection on a set of access-list on the Cisco ASA firewall for a video conferencing solution however the firewall still needs to have it enabled as part of the default inspection policy.

Any help much appreciated.

Thanks MJ

Marvin Rhoads · ‎08-20-2013

Create a class-map with an access list match criterion that excludes the network addresses you don't want inspected and then tell a policy map to inspect using the H.323. inspection the traffic that matches that class-map.

Apply to the appropriate interface with a service policy.

mj11 · ‎08-23-2013

Hi Marvin

Thank you for the information. The dynamic nature of the H323 does anyone know how the access list would look?

Thanks MJ

Marius Gunnerud · ‎08-23-2013

You could do something like the following:

access-list filter-list extended deny tcp 1.1.1.0 255.255.255.0 any eq h323

access-list filter-list extended deny udp 1.1.1.0 255.255.255.0 any range 1718 1719

access-list filter-list extended permit tcp any any eq h323

access-list filter-list extended permit udp any any range 1718 1719

Then apply it to the global policy map.

--
Please remember to select a correct answer and rate helpful posts