cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1388
Views
0
Helpful
6
Replies

ASA 5550 inspect necessary for h323 and SIP?

charliediebel
Level 1
Level 1



Is it necessary to have "inspect h323 h225", "inspect h323 ras", and "inspect sip" enabled on an ASA 5550? We have a vcsc, vcse telepresence deployment...just wondering if by having these enabled, if there is any possibility of the inspection process to cause packet loss to external or public codecs. We have a 250 mb Internet connection...general average use runs approx 180 mb. Twice a week or so, we get critical packet loss to some of the external codecs....just wondering if by turning off the inspection process, if that would speed things up a bit or cause other issues.

Thank you for your response.

Charlie

1 Accepted Solution

Accepted Solutions

Hi,

If your VCSE is not behind NAT in its path towards internet, so you can go ahead an disable any SIP/H323 inspection mechanism, once this may cause some issues and it is not required at all in your case.

Regarding the communication between VCS Control and Expressway, it is highly recommended to not have NAT from VCS Control to VCS Expressway, once VCS Control is not able to put NAT address inside SIP/H3232 messages, and you should not use any SIP/H323 inspection/ALG mechanism in this path once it may cause some problems because the communication uses a non-standard protocol, Cisco Assent.

However, packet loss problem is not much related to firewall inspection features. You are saying the you have bandwidth enough in your link to accomodate the call, but you also should ask, does the remote side have bandwith enough do host the call? Packet loss can occur in any part of the whole path of the call, so you should analyze the whole network path, end to end. Also, on internet links it is not possible to apply QoS (normally), so you really don't have guarantee that your traffic is being prioritized by your service provider and by the remote site.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

View solution in original post

6 Replies 6

Paulo Souza
VIP Alumni
VIP Alumni

Hi Charlie,

It depends upon how your VCSE topology looks like. Is your VCSE behind NAT? Do you have dual nic option key applied in your VCSE (which enables NAT feature in VCS)? Is the NAT address configured in your VCSE?

Please, post further information about your topology, including how are the connections involving VCSE.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

It depends upon how your VCSE topology looks like.
Is your VCSE behind NAT?
THE VCSE IS NOT BEHIND NAT.
Do you have dual nic option key applied in your VCSE (which enables NAT feature in VCS)?
THERE IS A DUAL NIC OPTION KEY ON THE VCSE, BUT IT IS NOT PHYSICALLY CONNECTED TO UTILIZE IT.
Is the NAT address configured in your VCSE?
EXTERNAL PUBLIC IP IS ON THE VCSE. The VCSE physically sits above my asa5550 (what I would consider ouside) on our ISP's network.

Please, post further information about your topology, including how is the connections involving VCSE.
All of the external codecs are dialed via SIP from the VCSE....
The VCSC sits behind the firewall, with a traversal set up between the vcsc and the VCSE. On the firewall, I have a rule to allow all inbound traffic from VCSE to vcsc

But your VCSE is behind NAT in the path VCSe to Internet? If yes, do you have NAT configured in VCSE?

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

The VCSE is not behind NAT on its path to the Internet.

The IPv4 static NAT mode on the VCSE is Off

Hi,

If your VCSE is not behind NAT in its path towards internet, so you can go ahead an disable any SIP/H323 inspection mechanism, once this may cause some issues and it is not required at all in your case.

Regarding the communication between VCS Control and Expressway, it is highly recommended to not have NAT from VCS Control to VCS Expressway, once VCS Control is not able to put NAT address inside SIP/H3232 messages, and you should not use any SIP/H323 inspection/ALG mechanism in this path once it may cause some problems because the communication uses a non-standard protocol, Cisco Assent.

However, packet loss problem is not much related to firewall inspection features. You are saying the you have bandwidth enough in your link to accomodate the call, but you also should ask, does the remote side have bandwith enough do host the call? Packet loss can occur in any part of the whole path of the call, so you should analyze the whole network path, end to end. Also, on internet links it is not possible to apply QoS (normally), so you really don't have guarantee that your traffic is being prioritized by your service provider and by the remote site.

Regards

Paulo Souza

Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo Souza Was my response helpful? Please rate useful replies and remember to mark any solved questions as "answered".

Paulo,

From the looks of things, it appears as though I can and probably should disable inspection, which I will do and see what happens. Thank you so much for your time and responses.

Best regards.

CD

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: