Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2672
Views
5
Helpful
6
Replies
Highlighted
John Patrick Lopez
Enthusiast
Enthusiast
‎03-19-2018 09:37 AM
‎03-19-2018 09:37 AM

Safe to turn off H323 and H225 inspection???

When is it totally safe to turn off H323 and H225 inspection on Cisco ASA firewalls? We have VoIP traffic between our data centers (all internal and no NAT) but they are separated by a firewall (due to security/audit requirements) and looks like the inspection is breaking some of the traffic. So when is it safe to just totally turn it off and what are the risks?

Labels:
0 Helpful
Reply
6 REPLIES 6
Highlighted
Florin Barhala
Frequent Contributor
Frequent Contributor
‎03-19-2018 12:40 PM
‎03-19-2018 12:40 PM

I don't have direct XP in regard to ASA inspection, but if you already have "recorded issues", then I think you can pick a source and destination IP pairs, catch the ACL to a new class-map and try to exempt this class-map it from inspection.
9.6 config guide: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html#ID-2096-00000057

0 Helpful
Reply
Highlighted
Dennis Mink
Advisor
Advisor
‎03-20-2018 03:36 AM
‎03-20-2018 03:36 AM

inspection in general (ftp, stun, sip or h323), is aimed to be "intelligent". in the case of H323/225 which is used for signalling, the ASA will inspect the signalling and will decide based on the inspection to dynamically open ports, predominately for the use of the RTP high ports (16k-32k). this way you dont need to explicitly open RTP ports. so If you remove inspection you will need to cater for the loss of having these high ports open and you will need to do it manually. 

Please remember to rate useful posts, by clicking on the stars below.

Reply
Highlighted
John Patrick Lopez
Enthusiast
Enthusiast
In response to Dennis Mink
‎03-20-2018 04:39 AM
‎03-20-2018 04:39 AM

Thanks for your feedback. If we open up the firewall ACL in both directions between the PBX and VoIP VLAN subnet, do we still need the inspection? It was mentioned by our voice engineer that based on the packet structure, packet is being altered and it was the fixup that's breaking it. This is something that happened to them before and they suspect that the one that we are experiencing right now is the same. So if we get rid of the fixup and just allow the bidirectional traffic using inbound ACLs, will we be ok? Funny thing is, there are other VoIP traffic going to other data centers that has fixup configured on the firewalls and we don't see the issue. So is this a firewall bug or just a normal behavior?
0 Helpful
Reply
Highlighted
Florin Barhala
Frequent Contributor
Frequent Contributor
In response to John Patrick Lopez
‎03-20-2018 08:59 AM
‎03-20-2018 08:59 AM

I would carefully check both FWs software version (the FW for which fixup works vs the other one) along with "known bugs " for each FW software version.

 

Now to answer your question: I would apply that ACL you mentioned but again I would stay safe and disable this inspection for only a handful of so called test devices. This way you minimize the potential network impact.

0 Helpful
Reply
Highlighted
fartoum.otmane
Beginner
Beginner
In response to Florin Barhala
‎09-30-2019 08:05 AM
‎09-30-2019 08:05 AM 

Following an update of the telephony server, the firewall between the phones and the call-manager began to close the communication by inspection, can we disable the inspection just for ports 1719 and 1720 to let the traffic can pass?

 

0 Helpful
Reply
Highlighted
Florin Barhala
Frequent Contributor
Frequent Contributor
In response to fartoum.otmane
‎10-02-2019 09:11 PM
‎10-02-2019 09:11 PM

Yes you can, first of share your "show run policy-map" output.
0 Helpful
Reply
Latest Contents
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
214
11
214
  ISE Node TerminologyISE DeploymentsISE Deployment Scale and LimitsMaximum Network Latency Between NodesISE Hardware PlatformsISE PSN PerformanceISE TACACS+ PerformanceISE 2.6 RADIUS PerformanceISE 2.4 RADIUS PerformanceISE 2.3 RADIUS PerformanceIS... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
ISE Node TerminologyISE DeploymentsISE Deployment Scale and LimitsISE Hardware PlatformsISE PSN PerformanceISE TrustSec ScalingISE Storage RequirementsISE ERS ScaleISE WAN Bandwidth CalculatorSources   About this Document Cisco Secure Endpoint (for... view more
Firepower 6.7 Release Demonstration - Health Monitoring
Created by Namit Agarwal on 02-08-2021 11:42 AM
0
0
0
0
  In this video, Namit reviews Health Monitoring improvements and introduces the new Unified Health Monitoring dashboard on the FMC. 
Content for Community-Ad