Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

turning off H323 inspection for select IP addresses

I have a situation where I need to have H323 inspection on by default, but I have a number of video end points that when they set up a connection through the firewall I need h323 inspection turned off for them. I tried turning off h323 in the class inspection_ default and turned it on in another class that was set to match an ACL with denies for my special endpoints and an explicit permit any. When I applied this class to the global policy it wreaked havoc and broke a lot of things. Any idea how to do this?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: turning off H323 inspection for select IP addresses

The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.

I hope it helps.

PK

3 REPLIES
Cisco Employee

Re: turning off H323 inspection for select IP addresses

The latter you tried to do was correct. But you must not match "ip any any" because that will try to inspect all traffic as h323 and can cause all kinds of issues. Instead in the ACL that you match in a class-map that you "inspect h323" in the policy-map, you should have denies for the h323 that don't want to inspect and in the end you should have a "perm tcp any any eq h323". That should only match h323 traffic and inspect it.

I hope it helps.

PK

New Member

Re: turning off H323 inspection for select IP addresses

Oh it did cause all kinds of issues, thanks for the input I will try this.

Re: turning off H323 inspection for select IP addresses

can you pls post the config that wreaked havoc.

281
Views
0
Helpful
3
Replies
CreatePlease to create content