Solved: turning off H323 inspection for select IP addresses

relsethagen · ‎11-09-2009

I have a situation where I need to have H323 inspection on by default, but I have a number of video end points that when they set up a connection through the firewall I need h323 inspection turned off for them. I tried turning off h323 in the class inspection_ default and turned it on in another class that was set to match an ACL with denies for my special endpoints and an explicit permit any. When I applied this class to the global policy it wreaked havoc and broke a lot of things. Any idea how to do this?

Panos Kampanakis · ‎11-09-2009

The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.

I hope it helps.

PK

View solution in original post

Panos Kampanakis · ‎11-09-2009

The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.

I hope it helps.

PK

relsethagen · ‎11-09-2009

Oh it did cause all kinds of issues, thanks for the input I will try this.

vikram_anumukonda · ‎11-10-2009

can you pls post the config that wreaked havoc.