H323 inspection for multiple tunnels, w/o using global default-inspection-

Unanswered Question

I have ~50 IPSec tunnels to various sites and I need to be able to turn on

"inspect h323 h225" and "inspect h323 ras" on a per tunnel basis.

All tunnels are using Policy NAT.

enabling this globally breaks the H323 connectivity for tunnels between ASA and Cisco Router. ASA > PIX, ASA > ASA and ASA > Checkpoint all work fine.

Is this possible?

This is on a 5520 w/ 7.2 code

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I would think this should work, but does not. Connectivity work just fine between hosts, ie.. remote user can telnet to port 1720 and stay connected.

object-group network EXT_CUST1NET

network-object a.a.a.x 255.255.255.0

object-group network INT_CUST1NET

network-object i.i.i.x 255.255.254.0

object-group network EXT_CUST2NET

network-object b.b.b.x 255.255.255.0

object-group network INT_CUST2NET

network-object i.i.i.x 255.255.254.0

object-group network EXT_CUST3NET

network-object c.c.c.x 255.255.255.0

object-group network INT_CUST3NET

network-object i.i.i.x 255.255.254.0

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i a.a.a.x 255.255.255.0 range 1719 1720

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i b.b.b.x 255.255.255.0 range 1719 1720

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i c.c.c.x 255.255.255.0 range 1719 1720

access-list CUST1_VPNACL extended permit ip object-group INT_CUST1NET object-group EXT_CUST1NET

access-list CUST2_VPNACL extended permit ip object-group INT_CUST2NET object-group EXT_CUST2NET

access-list CUST3_VPNACL extended permit ip object-group INT_CUST3NET object-group EXT_CUST3NET

crypto map LAN2LAN 38 match address CUST1_VPNACL

crypto map LAN2LAN 38 set peer x.x.x.x

crypto map LAN2LAN 38 set transform-set AES-256-SHA

crypto map LAN2LAN 38 set security-association lifetime seconds 3600

crypto map LAN2LAN 39 match address CUST2_VPNACL

crypto map LAN2LAN 39 set peer x.x.x.x

crypto map LAN2LAN 39 set transform-set AES-256-SHA

crypto map LAN2LAN 39 set security-association lifetime seconds 3600

crypto map LAN2LAN 40 match address CUST3_VPNACL

crypto map LAN2LAN 40 set peer x.x.x.x

crypto map LAN2LAN 40 set transform-set AES-256-SHA

crypto map LAN2LAN 40 set security-association lifetime seconds 3600

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

class-map inspection_default2

match access-list CUST2_VPNACL

match default-inspection-traffic

class-map inspection_default3

match access-list CUST3_VPNACL

match default-inspection-traffic

class-map inspection_default

match access-list CUST1_VPNACL

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

class inspection_default2

inspect h323 h225

inspect h323 ras

class inspection_default3

inspect h323 h225

inspect h323 ras

!

service-policy global_policy global

Actions

This Discussion