11-09-2009 11:47 AM - edited 03-11-2019 09:38 AM
I have a situation where I need to have H323 inspection on by default, but I have a number of video end points that when they set up a connection through the firewall I need h323 inspection turned off for them. I tried turning off h323 in the class inspection_ default and turned it on in another class that was set to match an ACL with denies for my special endpoints and an explicit permit any. When I applied this class to the global policy it wreaked havoc and broke a lot of things. Any idea how to do this?
Solved! Go to Solution.
11-09-2009 03:09 PM
The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.
I hope it helps.
PK
11-09-2009 03:09 PM
The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.
I hope it helps.
PK
11-09-2009 03:23 PM
Oh it did cause all kinds of issues, thanks for the input I will try this.
11-10-2009 04:21 AM
can you pls post the config that wreaked havoc.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: