I have a situation where I need to have H323 inspection on by default, but I have a number of video end points that when they set up a connection through the firewall I need h323 inspection turned off for them. I tried turning off h323 in the class inspection_ default and turned it on in another class that was set to match an ACL with denies for my special endpoints and an explicit permit any. When I applied this class to the global policy it wreaked havoc and broke a lot of things. Any idea how to do this?
The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.
I hope it helps.