Chapter 22
Applying Application Layer Protocol Inspection
static (inside,outside) 10.4.1.33 10.4.1.33 netmask 255.255.255.255
access-group OO in interface mgmt
access-group 111 in interface outside per-user-override
route inside 10.4.1.32 255.255.255.255 10.1.1.2 1
route inside 10.4.1.33 255.255.255.255 10.1.1.3 1
route outside 10.5.1.1 255.255.255.255 209.165.201.31 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
username cisco password 3USUcOPFUiMCO4Jk encrypted
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 171.69.42.198 255.255.255.255 mgmt
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect smtp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect gtp GTPMAP =========================================attached the GTP map to gtp
inspection in service policy
!
service-policy global_policy global
Cryptochecksum:3b1c3373e908cb9163d9aa1387478fa4
: end
H.323 Inspection
This section describes how to enable H.323 application inspection and change the default port
configuration. This section includes the following topics:
•
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
H.323 Inspection Overview, page 22-48
How H.323 Works, page 22-48
Limitations and Restrictions, page 22-49
Enabling and Configuring H.323 Inspection, page 22-51
Topologies Requiring H.225 Configuration, page 22-50
H.323 Inspection
22-47