cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
484
Views
5
Helpful
3
Replies

inspect H323 on asa 5520

Dear all.

 

I need to setup inspect for H323 at my company's asa 5520 outside interface, but I'm trying to understand if this can cause any disruption to a running S2S tunnel at the same interface.

 

Can someone help me on this?

 

Thanks in advanced for your cooperation.

 

Best regards,

 

Paulo.

3 Replies 3

Carlos Amador
Cisco Employee
Cisco Employee

Paulo,

 

The H323 inspection will just take care of doing NAT on the embeded IP addresses on the call flow and open the necessary ports (if necessary) for the voice traffic, shouldn't affect the site-to-site at all.

If you still feel unsure about this, then you can modify the class-map to include just certain addresses (voice subnet i.e.) and leave the addresses going over the site-to-site out of it but again, shouldn't be an issue.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_voicevideo.html#wp1229333

 

Regards.

Hi Eliseo.

Thank you so much for your useful and comprehensive reply.

In deed your explanation makes sense. My concerns are now focused on the fact, if any, of inspects look for tagged packages. If this packages are tagged as H.323 then ok, they will be marked as trusted and they will be allowed (in and out). But if they are not tagged as H.323, what will happen? My concern is that these packages either are lost, or some kind of encapsulation is added or removed and thus disturb the S2S workflow.

Still I will go forward on activate inspects at my ASA for H.323 and observe the behaviors.

 

Regards,

 

Paulo

Paulo,

 

If a packet is not tagged with H323 (meaning they are not coming on port UDP/1719 or TCP/1720) then those packets will not be subject to this inspection.

If the VPN traffic is terminating on the ASA then the traffic for the tunnel itself won't go through the service policy but if it's going through it will, but that is totally a different picture of what you seem to have.

 

Regards.