cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
0
Helpful
1
Replies

H323 inspection for multiple tunnels, w/o using global default-inspection-

mike_taylor
Level 1
Level 1

I have ~50 IPSec tunnels to various sites and I need to be able to turn on

"inspect h323 h225" and "inspect h323 ras" on a per tunnel basis.

All tunnels are using Policy NAT.

enabling this globally breaks the H323 connectivity for tunnels between ASA and Cisco Router. ASA > PIX, ASA > ASA and ASA > Checkpoint all work fine.

Is this possible?

This is on a 5520 w/ 7.2 code

1 Reply 1

mike_taylor
Level 1
Level 1

I would think this should work, but does not. Connectivity work just fine between hosts, ie.. remote user can telnet to port 1720 and stay connected.

object-group network EXT_CUST1NET

network-object a.a.a.x 255.255.255.0

object-group network INT_CUST1NET

network-object i.i.i.x 255.255.254.0

object-group network EXT_CUST2NET

network-object b.b.b.x 255.255.255.0

object-group network INT_CUST2NET

network-object i.i.i.x 255.255.254.0

object-group network EXT_CUST3NET

network-object c.c.c.x 255.255.255.0

object-group network INT_CUST3NET

network-object i.i.i.x 255.255.254.0

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i a.a.a.x 255.255.255.0 range 1719 1720

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i b.b.b.x 255.255.255.0 range 1719 1720

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i c.c.c.x 255.255.255.0 range 1719 1720

access-list CUST1_VPNACL extended permit ip object-group INT_CUST1NET object-group EXT_CUST1NET

access-list CUST2_VPNACL extended permit ip object-group INT_CUST2NET object-group EXT_CUST2NET

access-list CUST3_VPNACL extended permit ip object-group INT_CUST3NET object-group EXT_CUST3NET

crypto map LAN2LAN 38 match address CUST1_VPNACL

crypto map LAN2LAN 38 set peer x.x.x.x

crypto map LAN2LAN 38 set transform-set AES-256-SHA

crypto map LAN2LAN 38 set security-association lifetime seconds 3600

crypto map LAN2LAN 39 match address CUST2_VPNACL

crypto map LAN2LAN 39 set peer x.x.x.x

crypto map LAN2LAN 39 set transform-set AES-256-SHA

crypto map LAN2LAN 39 set security-association lifetime seconds 3600

crypto map LAN2LAN 40 match address CUST3_VPNACL

crypto map LAN2LAN 40 set peer x.x.x.x

crypto map LAN2LAN 40 set transform-set AES-256-SHA

crypto map LAN2LAN 40 set security-association lifetime seconds 3600

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

class-map inspection_default2

match access-list CUST2_VPNACL

match default-inspection-traffic

class-map inspection_default3

match access-list CUST3_VPNACL

match default-inspection-traffic

class-map inspection_default

match access-list CUST1_VPNACL

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

class inspection_default2

inspect h323 h225

inspect h323 ras

class inspection_default3

inspect h323 h225

inspect h323 ras

!

service-policy global_policy global

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: