14-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 14 Inspection for Voice and Video Protocols
H.323 Inspection
Configure H.323 Inspection
H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP
addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function
activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling
control, HSI groups, protocol state tracking, H.323 call duration enforcement, and audio/video control.
H.323 inspection is enabled by default. You need to configure it only if you want non-default processing.
If you want to customize H.323 inspection, use the following process.
Procedure
Step 1 Configure H.323 Inspection Policy Map, page 14-6
Step 2 Configure the H.323 Inspection Service Policy, page 14-9
Configure H.323 Inspection Policy Map
You can create an H.323 inspection policy map to customize H.323 inspection actions if the default
inspection behavior is not sufficient for your network.
When defining traffic matching criteria, you can either create a class map or include the match
statements directly in the policy map. The following procedure explains both approaches.
Before You Begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one
of those techniques, first create the regular expression or regular expression class map.
Procedure
Step 1 (Optional) Create an H.323 inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify match commands directly in
the policy map. The difference between creating a class map and defining the traffic match directly in
the inspection policy map is that the class map lets you create more complex match criteria, and you can
reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string “example.com,” then any traffic that includes “example.com”
does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the
inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly
in the policy map.
a. Create the class map by entering the following command:
hostname(config)# class-map type inspect h323 [match-all | match-any] class_map_name
hostname(config-cmap)#
To Next Page
Loading...
Need help?
General
