When is it totally safe to turn off H323 and H225 inspection on Cisco ASA firewalls? We have VoIP traffic between our data centers (all internal and no NAT) but they are separated by a firewall (due to security/audit requirements) and looks like the inspection is breaking some of the traffic. So when is it safe to just totally turn it off and what are the risks?
inspection in general (ftp, stun, sip or h323), is aimed to be "intelligent". in the case of H323/225 which is used for signalling, the ASA will inspect the signalling and will decide based on the inspection to dynamically open ports, predominately for the use of the RTP high ports (16k-32k). this way you dont need to explicitly open RTP ports. so If you remove inspection you will need to cater for the loss of having these high ports open and you will need to do it manually.
I would carefully check both FWs software version (the FW for which fixup works vs the other one) along with "known bugs " for each FW software version.
Now to answer your question: I would apply that ACL you mentioned but again I would stay safe and disable this inspection for only a handful of so called test devices. This way you minimize the potential network impact.
Following an update of the telephony server, the firewall between the phones and the call-manager began to close the communication by inspection, can we disable the inspection just for ports 1719 and 1720 to let the traffic can pass?