03-19-2018 09:37 AM - edited 02-21-2020 07:32 AM
When is it totally safe to turn off H323 and H225 inspection on Cisco ASA firewalls? We have VoIP traffic between our data centers (all internal and no NAT) but they are separated by a firewall (due to security/audit requirements) and looks like the inspection is breaking some of the traffic. So when is it safe to just totally turn it off and what are the risks?
03-19-2018 12:40 PM
03-20-2018 03:36 AM - edited 03-20-2018 03:37 AM
inspection in general (ftp, stun, sip or h323), is aimed to be "intelligent". in the case of H323/225 which is used for signalling, the ASA will inspect the signalling and will decide based on the inspection to dynamically open ports, predominately for the use of the RTP high ports (16k-32k). this way you dont need to explicitly open RTP ports. so If you remove inspection you will need to cater for the loss of having these high ports open and you will need to do it manually.
03-20-2018 04:39 AM
03-20-2018 08:59 AM
I would carefully check both FWs software version (the FW for which fixup works vs the other one) along with "known bugs " for each FW software version.
Now to answer your question: I would apply that ACL you mentioned but again I would stay safe and disable this inspection for only a handful of so called test devices. This way you minimize the potential network impact.
09-30-2019 08:05 AM
Following an update of the telephony server, the firewall between the phones and the call-manager began to close the communication by inspection, can we disable the inspection just for ports 1719 and 1720 to let the traffic can pass?
10-02-2019 09:11 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: