10-12-2007 04:42 AM - edited 03-11-2019 04:24 AM
Hello, I am trying to configure my ASA5505 to correctly bypass the stateful inspection for UDP port 15044. Currently none of the default-inspect polices do not have this port listed. How do I add it and correctly get the VOIP traffic to not be inspected ?
Thanks,
Josh
Current config:
ASA Version 7.2(2)
!
access-list nonat extended permit ip 172.29.8.0 255.255.255.0 172.28.1.0 255.255.255.0
access-list XXX extended permit ip 172.29.8.0 255.255.255.0 172.28.1.0 255.255.255.0
access-list in_out extended permit tcp any any
access-list in_out extended permit ip any any
access-list in_out extended permit udp any any
access-list test extended permit ip 172.29.8.0 255.255.255.0 any
access-list net extended permit tcp any any eq smtp
access-list net extended permit udp any any eq 15044
access-list VOIP-TEST standard permit host 172.29.8.188
access-list VOIP-TEST standard permit host 172.29.8.199
access-list VOIP-TEST-IP extended permit ip host 172.29.8.188 any
access-list VOIP-TEST-IP extended permit ip host 172.29.8.199 any
access-list VOIP-TEST-IP extended permit ip any host 172.29.8.188
access-list VOIP-TEST-IP extended permit ip any host 172.29.8.199
access-list VOIP-TEST-IP extended permit udp any host 172.29.8.188 eq 15044
access-list VOIP-TEST-IP extended permit udp any host 172.29.8.199 eq 15044
access-list VOIP-TEST-IP extended permit udp host 172.29.8.199 any eq 15044
access-list VOIP-TEST-IP extended permit udp host 172.29.8.188 any eq 15044
access-list VOIP-CAPTURE standard permit host 172.29.8.188
access-list VOIP-CAPTURE standard permit host 172.29.8.199
priority-queue inside
tx-ring-limit 256
priority-queue outside
tx-ring-limit 256
!
class-map VOIP-TO-PACKET8-UDP-15044
match port udp eq 15044
class-map VOIP-TO-PACKET8-TCP-8880
match port tcp eq 8880
class-map inspection_default
match default-inspection-traffic
class-map default_inspection
match access-list VOIP-TEST-IP
class-map VOIP-TO-PACKET8-IP-FILTER
class-map inspection_15044
match port udp eq 15044
class-map VOIP-TO-PACKET8-UDP-RTP
match rtp 8000 16383
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map VOIP-TO-PACKETS
class inspection_default
inspect sip
policy-map global_policy
policy-map inspection_default
policy-map VOIP-TO-PACKET8
class VOIP-TO-PACKET8-UDP-15044
priority
class VOIP-TO-PACKET8-UDP-RTP
priority
class VOIP-TO-PACKET8-TCP-8880
priority
class inspection_default
inspect sip
inspect skinny
inspect rtsp
class inspection_15044
!
service-policy VOIP-TO-PACKET8 interface outside
10-18-2007 07:20 AM
You can use following config to bypass inspection for UDP port 15044
access-list acs-list permit udp any any eq 15044
access-list acs-list permit udp any eq 15044 any
class-map acs-class
match access-list acs-list
policy-map global_policy
class acs-class
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide