Solved: Cisco ASA inspection with IP-Adress exclusion

fpacholski · ‎05-19-2016

hi,

is it possible to exclude some IP-Adresses (defined by ACL) from the class inspection_default ?

i want to avoid the inspection from H323 and SIP traffic to and from two IP-Adresses.

i have tried a lot of combinations with class-maps / poilicy-maps etc. but it was not possible in neighter way.

perhaps someone from you has an idea or a config example.

thanks a lot

frank

Paul Chapman · ‎05-20-2016

Hi Frank -

Just exclude those inspections from the default, then create another class that will cause other traffic to get inspected.

access-list cm_voip extended permit ip <net> <mask> <net> <mask>
!
class-map voip-class
 match access-list cm_voip
!
policy-map global_policy
 class voip-class
  inspect h323 h225
  inspect h323 ras
  inspect sip
 class inspection_default
  no inspect h323 h225
  no inspect h323 ras
  no inspect sip

PSC

View solution in original post

Paul Chapman · ‎05-20-2016

Hi Frank -

Just exclude those inspections from the default, then create another class that will cause other traffic to get inspected.

access-list cm_voip extended permit ip <net> <mask> <net> <mask>
!
class-map voip-class
 match access-list cm_voip
!
policy-map global_policy
 class voip-class
  inspect h323 h225
  inspect h323 ras
  inspect sip
 class inspection_default
  no inspect h323 h225
  no inspect h323 ras
  no inspect sip

PSC

fpacholski · ‎05-26-2016

Hi Paul,

thanks for this apporach, it works!

but I need to add one more line in the config, because of this message

"ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it."

> match default-inspection-traffic

thank you!

frank

!
class-map voip-class
 match access-list cm_voip
 match default-inspection-traffic
!