[x]

ASPF configuration examples > ASPF H.323 application inspection configuration example

 

 Next

ASPF H.323 application inspection configuration example

Network requirements

Figure 175 displays a typical H.323 application network. Gateway B on the external network needs to access the H.323 Gatekeeper, and with the assistance of Gatekeeper, to establish a connection with the H.323 Gateway A. Other protocol packets from the external network are dropped.

Configure a packet filter on Router A to permit only packets destined to the Gatekeeper. Configure an ASPF policy on Router A to detect H.323 protocol packets so that return packets to the external network can be passed through interface GigabitEthernet 1/0/1.

Figure 170: Network diagram

Configuration procedure

# Create ACL 3200 and configure two rules in the ACL: one to permit packets destined to Gatekeeper to pass, and one to deny all IP packets.

<RouterA> system-view
[RouterA] acl advanced 3200
[RouterA-acl-ipv4-adv-3200] rule 0 permit ip destination 192.168.1.2 0
[RouterA-acl-ipv4-adv-3200] rule 5 deny ip
[RouterA-acl-ipv4-adv-3200] quit

# Create ASPF policy 1 for H.323 inspection.

[RouterA] aspf policy 1
[RouterA-aspf-policy-1] detect h323
[RouterA-aspf-policy-1] quit

# Apply ACL 3200 to filter incoming packets on interface GigabitEthernet 1/0/1.

[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] packet-filter 3200 inbound

# Apply ASPF policy 1 to incoming traffic on GigabitEthernet 1/0/1. 

[RouterA-GigabitEthernet1/0/1] aspf apply policy 1 inbound
[RouterA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that ASPF sessions have been created between Gateway B and Gatekeeper/Gateway A.

[RouterA] display aspf session ipv4
Initiator:
  Source      IP/port: 1.1.1.111/33184
  Destination IP/port: 192.168.1.3/32828
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: UDP(17) 
  Inbound interface: GigabitEthernet1/0/1

Initiator:
  Source      IP/port: 1.1.1.111/1719
  Destination IP/port: 192.168.1.2/1719
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: UDP(17) 
  Inbound interface: GigabitEthernet1/0/1

Initiator:
  Source      IP/port: 1.1.1.111/3521
  Destination IP/port: 192.168.1.2/20155
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: TCP(6) 
  Inbound interface: GigabitEthernet1/0/1

Initiator:
  Source      IP/port: 1.1.1.111/33185
  Destination IP/port: 192.168.1.3/32829
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: UDP(17) 
  Inbound interface: GigabitEthernet1/0/1

Initiator:
  Source      IP/port: 1.1.1.111/3688
  Destination IP/port: 192.168.1.2/1720
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Total sessions found: 5

# Verify that only return packets that match the entries can pass through GigabitEthernet 1/0/1. (Details not shown.)

prev

 

up

 next

ASPF TCP application inspection configuration example 

home

 ASPF application to a zone pair configuration example

© Copyright 2017 Hewlett Packard Enterprise Development LP