cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2672
Views
5
Helpful
6
Replies
Highlighted

Safe to turn off H323 and H225 inspection???

When is it totally safe to turn off H323 and H225 inspection on Cisco ASA firewalls? We have VoIP traffic between our data centers (all internal and no NAT) but they are separated by a firewall (due to security/audit requirements) and looks like the inspection is breaking some of the traffic. So when is it safe to just totally turn it off and what are the risks?

6 REPLIES 6
Highlighted
Frequent Contributor

I don't have direct XP in regard to ASA inspection, but if you already have "recorded issues", then I think you can pick a source and destination IP pairs, catch the ACL to a new class-map and try to exempt this class-map it from inspection.
9.6 config guide: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html#ID-2096-00000057

Highlighted
Advisor

inspection in general (ftp, stun, sip or h323), is aimed to be "intelligent". in the case of H323/225 which is used for signalling, the ASA will inspect the signalling and will decide based on the inspection to dynamically open ports, predominately for the use of the RTP high ports (16k-32k). this way you dont need to explicitly open RTP ports. so If you remove inspection you will need to cater for the loss of having these high ports open and you will need to do it manually. 

Please remember to rate useful posts, by clicking on the stars below.

Highlighted

Thanks for your feedback. If we open up the firewall ACL in both directions between the PBX and VoIP VLAN subnet, do we still need the inspection? It was mentioned by our voice engineer that based on the packet structure, packet is being altered and it was the fixup that's breaking it. This is something that happened to them before and they suspect that the one that we are experiencing right now is the same. So if we get rid of the fixup and just allow the bidirectional traffic using inbound ACLs, will we be ok? Funny thing is, there are other VoIP traffic going to other data centers that has fixup configured on the firewalls and we don't see the issue. So is this a firewall bug or just a normal behavior?
Highlighted

I would carefully check both FWs software version (the FW for which fixup works vs the other one) along with "known bugs " for each FW software version.

 

Now to answer your question: I would apply that ACL you mentioned but again I would stay safe and disable this inspection for only a handful of so called test devices. This way you minimize the potential network impact.

Highlighted

Following an update of the telephony server, the firewall between the phones and the call-manager began to close the communication by inspection, can we disable the inspection just for ports 1719 and 1720 to let the traffic can pass?

 

Highlighted

Yes you can, first of share your "show run policy-map" output.
Content for Community-Ad