02-02-2009 12:59 PM
I have ~50 IPSec tunnels to various sites and I need to be able to turn on
"inspect h323 h225" and "inspect h323 ras" on a per tunnel basis.
All tunnels are using Policy NAT.
enabling this globally breaks the H323 connectivity for tunnels between ASA and Cisco Router. ASA > PIX, ASA > ASA and ASA > Checkpoint all work fine.
Is this possible?
This is on a 5520 w/ 7.2 code
02-02-2009 01:27 PM
I would think this should work, but does not. Connectivity work just fine between hosts, ie.. remote user can telnet to port 1720 and stay connected.
object-group network EXT_CUST1NET
network-object a.a.a.x 255.255.255.0
object-group network INT_CUST1NET
network-object i.i.i.x 255.255.254.0
object-group network EXT_CUST2NET
network-object b.b.b.x 255.255.255.0
object-group network INT_CUST2NET
network-object i.i.i.x 255.255.254.0
object-group network EXT_CUST3NET
network-object c.c.c.x 255.255.255.0
object-group network INT_CUST3NET
network-object i.i.i.x 255.255.254.0
access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i a.a.a.x 255.255.255.0 range 1719 1720
access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i b.b.b.x 255.255.255.0 range 1719 1720
access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i c.c.c.x 255.255.255.0 range 1719 1720
access-list CUST1_VPNACL extended permit ip object-group INT_CUST1NET object-group EXT_CUST1NET
access-list CUST2_VPNACL extended permit ip object-group INT_CUST2NET object-group EXT_CUST2NET
access-list CUST3_VPNACL extended permit ip object-group INT_CUST3NET object-group EXT_CUST3NET
crypto map LAN2LAN 38 match address CUST1_VPNACL
crypto map LAN2LAN 38 set peer x.x.x.x
crypto map LAN2LAN 38 set transform-set AES-256-SHA
crypto map LAN2LAN 38 set security-association lifetime seconds 3600
crypto map LAN2LAN 39 match address CUST2_VPNACL
crypto map LAN2LAN 39 set peer x.x.x.x
crypto map LAN2LAN 39 set transform-set AES-256-SHA
crypto map LAN2LAN 39 set security-association lifetime seconds 3600
crypto map LAN2LAN 40 match address CUST3_VPNACL
crypto map LAN2LAN 40 set peer x.x.x.x
crypto map LAN2LAN 40 set transform-set AES-256-SHA
crypto map LAN2LAN 40 set security-association lifetime seconds 3600
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
class-map inspection_default2
match access-list CUST2_VPNACL
match default-inspection-traffic
class-map inspection_default3
match access-list CUST3_VPNACL
match default-inspection-traffic
class-map inspection_default
match access-list CUST1_VPNACL
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
class inspection_default2
inspect h323 h225
inspect h323 ras
class inspection_default3
inspect h323 h225
inspect h323 ras
!
service-policy global_policy global
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: