ASA Inspection bypass for H323

Unanswered Question
Dec 15th, 2009
User Badges:

Hi, I am trying to bypass one device from H323 inspection.  I created an ACL to deny IP any to the devices IP internally and externally, then permit ip any any. Then I created a class-map that matches the ACL, applied the Class-map to the service policy, removed the inspections from the default, and here is the problem I ran into, the class needs both H323 RAS and H323 H225, but when applying the second inspect I get an error, /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}


Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.



So I applied match default-inspection-traffic to the class map, and I was able to add both inspects to the class, then removed inspect H323 from the default. Well, the video that wasn't working started working, but we broke all outbound voice.  I removed what I did, and restored the original configuration, but it was still broke, so I had to reload the ASA. Now voice is back to normal, but Video is broke again.


How do I exclude this one IP from being inspected for all H323 without breaking the voice?  I am doing two other classes like this under the global policy for FTP inspection and to bypass the CSC for certain IP's, but they all have a single Inspect.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Tue, 12/15/2009 - 10:47
User Badges:
  • Cisco Employee,

What you ran into is expected(Multiple inspect commands can't be configured for a class ). Now coming to fix your video issue. I believe you may be running into some known h323 inspection issues where by the packets may not be fixed up properly.


In these case we have to collect captures (ingress and egress) and see what is going on or you may want to try to see if there is an option to for address translation on the video unit itself so, you can put in the translated address.


Give that a shot and let us know. If it still doesn't work then, we you would probably be better off opening a TAC case.


We would need to collect the following:

1. sh tech

2. syslogs (debug level)

3. debug h323 h225 event/asn

4. ingress, egress captures


-KS

Actions

This Discussion