Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4549
Views
5
Helpful
6
Replies

Safe to turn off H323 and H225 inspection???

jpl861
Level 4
Level 4

‎03-19-2018 09:37 AM - edited ‎02-21-2020 07:32 AM

When is it totally safe to turn off H323 and H225 inspection on Cisco ASA firewalls? We have VoIP traffic between our data centers (all internal and no NAT) but they are separated by a firewall (due to security/audit requirements) and looks like the inspection is breaking some of the traffic. So when is it safe to just totally turn it off and what are the risks?

Labels:
0 Helpful
6 Replies 6

Florin Barhala
Level 6
Level 6

‎03-19-2018 12:40 PM

I don't have direct XP in regard to ASA inspection, but if you already have "recorded issues", then I think you can pick a source and destination IP pairs, catch the ACL to a new class-map and try to exempt this class-map it from inspection.
9.6 config guide: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html#ID-2096-00000057

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎03-20-2018 03:36 AM - edited ‎03-20-2018 03:37 AM

inspection in general (ftp, stun, sip or h323), is aimed to be "intelligent". in the case of H323/225 which is used for signalling, the ASA will inspect the signalling and will decide based on the inspection to dynamically open ports, predominately for the use of the RTP high ports (16k-32k). this way you dont need to explicitly open RTP ports. so If you remove inspection you will need to cater for the loss of having these high ports open and you will need to do it manually. 

Please remember to rate useful posts, by clicking on the stars below.

jpl861
Level 4
Level 4
In response to Dennis Mink

‎03-20-2018 04:39 AM

Thanks for your feedback. If we open up the firewall ACL in both directions between the PBX and VoIP VLAN subnet, do we still need the inspection? It was mentioned by our voice engineer that based on the packet structure, packet is being altered and it was the fixup that's breaking it. This is something that happened to them before and they suspect that the one that we are experiencing right now is the same. So if we get rid of the fixup and just allow the bidirectional traffic using inbound ACLs, will we be ok? Funny thing is, there are other VoIP traffic going to other data centers that has fixup configured on the firewalls and we don't see the issue. So is this a firewall bug or just a normal behavior?
0 Helpful

Florin Barhala
Level 6
Level 6
In response to jpl861

‎03-20-2018 08:59 AM

I would carefully check both FWs software version (the FW for which fixup works vs the other one) along with "known bugs " for each FW software version.

 

Now to answer your question: I would apply that ACL you mentioned but again I would stay safe and disable this inspection for only a handful of so called test devices. This way you minimize the potential network impact.

0 Helpful

fartoum.otmane
Level 1
Level 1
In response to Florin Barhala

‎09-30-2019 08:05 AM 

Following an update of the telephony server, the firewall between the phones and the call-manager began to close the communication by inspection, can we disable the inspection just for ports 1719 and 1720 to let the traffic can pass?

 

0 Helpful

Florin Barhala
Level 6
Level 6
In response to fartoum.otmane

‎10-02-2019 09:11 PM

Yes you can, first of share your "show run policy-map" output.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card