Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

H323 inspection for multiple tunnels, w/o using global default-inspection-

I have ~50 IPSec tunnels to various sites and I need to be able to turn on

"inspect h323 h225" and "inspect h323 ras" on a per tunnel basis.

All tunnels are using Policy NAT.

enabling this globally breaks the H323 connectivity for tunnels between ASA and Cisco Router. ASA > PIX, ASA > ASA and ASA > Checkpoint all work fine.

Is this possible?

This is on a 5520 w/ 7.2 code

1 REPLY
New Member

Re: H323 inspection for multiple tunnels, w/o using global defau

I would think this should work, but does not. Connectivity work just fine between hosts, ie.. remote user can telnet to port 1720 and stay connected.

object-group network EXT_CUST1NET

network-object a.a.a.x 255.255.255.0

object-group network INT_CUST1NET

network-object i.i.i.x 255.255.254.0

object-group network EXT_CUST2NET

network-object b.b.b.x 255.255.255.0

object-group network INT_CUST2NET

network-object i.i.i.x 255.255.254.0

object-group network EXT_CUST3NET

network-object c.c.c.x 255.255.255.0

object-group network INT_CUST3NET

network-object i.i.i.x 255.255.254.0

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i a.a.a.x 255.255.255.0 range 1719 1720

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i b.b.b.x 255.255.255.0 range 1719 1720

access-list STATIC_NAT_X.X.X.X extended permit ip host i.i.i.i c.c.c.x 255.255.255.0 range 1719 1720

access-list CUST1_VPNACL extended permit ip object-group INT_CUST1NET object-group EXT_CUST1NET

access-list CUST2_VPNACL extended permit ip object-group INT_CUST2NET object-group EXT_CUST2NET

access-list CUST3_VPNACL extended permit ip object-group INT_CUST3NET object-group EXT_CUST3NET

crypto map LAN2LAN 38 match address CUST1_VPNACL

crypto map LAN2LAN 38 set peer x.x.x.x

crypto map LAN2LAN 38 set transform-set AES-256-SHA

crypto map LAN2LAN 38 set security-association lifetime seconds 3600

crypto map LAN2LAN 39 match address CUST2_VPNACL

crypto map LAN2LAN 39 set peer x.x.x.x

crypto map LAN2LAN 39 set transform-set AES-256-SHA

crypto map LAN2LAN 39 set security-association lifetime seconds 3600

crypto map LAN2LAN 40 match address CUST3_VPNACL

crypto map LAN2LAN 40 set peer x.x.x.x

crypto map LAN2LAN 40 set transform-set AES-256-SHA

crypto map LAN2LAN 40 set security-association lifetime seconds 3600

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

class-map inspection_default2

match access-list CUST2_VPNACL

match default-inspection-traffic

class-map inspection_default3

match access-list CUST3_VPNACL

match default-inspection-traffic

class-map inspection_default

match access-list CUST1_VPNACL

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

class inspection_default2

inspect h323 h225

inspect h323 ras

class inspection_default3

inspect h323 h225

inspect h323 ras

!

service-policy global_policy global

268
Views
0
Helpful
1
Replies