8-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 Inspection for Voice and Video Protocols
H.323 Inspection
The
drop-connection
keyword drops the packet and closes the connection. This option is available
for called or calling party matching.
The
reset
keyword drops the packet, closes the connection, and sends a TCP reset to the server
and/or client. This option is available for called or calling party matching.
Step 5
To configure parameters that affect the inspection engine, perform the following steps:
a.
To enter parameters configuration mode, enter the following command:
hostname(config-pmap)#
parameters
hostname(config-pmap-p)#
b.
Set one or more parameters. You can set the following options; use the
no
form of the command to
disable the option:
•
ras-rcf-pinholes enable
—Enables call setup between H.323 endpoints. You can enable call
setup between H.323 endpoints when the Gatekeeper is inside the network. Use this option to
open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF)
messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling
endpoint's IP address is unknown and the ASA opens a pinhole through source IP address/port
0/0. By default, this option is disabled.
•
timeout
users
time
—Sets the H.323 call duration limit (in hh:mm:ss format). To have no
timeout, specify 00:00:00. Range is from 0:0:0 to 1193:0;0.
•
call-party-number
—Enforces sending call party number during call setup.
•
h245-tunnel-block action
{
drop-connection
|
log
}—Enforces H.245 tunnel blocking. Specify
whether you want to drop the connection or simply log it.
•
rtp-conformance
[
enforce-payloadtype
]—Checks RTP packets flowing on the pinholes for
protocol conformance. The optional
enforce-payloadtype
keyword enforces the payload type
to be audio or video based on the signaling exchange.
•
state-checking
{
h225
|
ras
}—Enables state checking validation. You can enter the command
separately to enable state checking for H.225 and RAS.
Step 6
While still in parameter configuration mode, you can configure HSI groups.
a.
Define an HSI group and enter HSI group configuration mode.
hostname(config-pmap-p)#
hsi-group
id
Where
id
is the HSI group ID. Range is from 0 to 2147483647.
b.
Add an HSI to the HSI group using the IP address. You can add a maximum of five hosts per HSI
group.
hostname(config-h225-map-hsi-grp)#
hsi
ip_address
c.
Add an endpoint to the HSI group.
hostname(config-h225-map-hsi-grp)#
endpoint
ip_address
if_name
Where
ip_address
is the endpoint to add and
if_name
is the interface through which the endpoint is
connected to the ASA. You can add a maximum of ten endpoints per HSI group.
Example
The following example shows how to configure phone number filtering:
hostname(config)# regex caller 1 “5551234567”
hostname(config)# regex caller 2 “5552345678”
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...