视频会议流量穿越 Cisco ASA

VIP文章 于 2010-08-30 20:51:00 发布
阅读量2k 收藏 2
点赞数
文章标签: cisco 视频会议 authentication tcp interface encryption
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/net527/article/details/5850655
版权

视频会议流量 穿越ASA 问题 [EVE兄分享经验 - established命令]
==========================================================
问题描述:

配置说明
用户总部有视频会议server,中间连有ASA,ASA的outside接口连接7206,然后7206通过SDH连接到其他分部,ASA跑路由模式, 版本7.0(6),默认inspect H323和rtsp是打开的,inside用户和分布2821后的网络通信,做的是bypass nat也就是nat (inside) 0 access-list nonat这种方式,这样inside后的网段和分部后的网段通信就不会做NAT了,同时不会产生xlate表,还写了access-list out permit ip any any应用到outside接口的in方向

拓扑
视频会议server---------inside-ASA-outside-----7206-------------2821-------视频会议server
                                             SDH  分布路由器
故障现象:
iniside的视频会议server去拨分部的视频会议server可以拨通,但是视频时断时续,声音也差不多.
分部的视频会议server完全拨不进inside后的视频会议server

sh h323可以看到两个终端的地址,请教高手们该如何处理,本人有以下几种方案不知是否可行

1,用established命令对tcp 1720进行放行回来的udp range 16383-16384,同时打开inspect XDMCP
2,关闭inspect H323,干脆手动放开tcp 1720和udp ,由于用户outside连的SDH连路安全性要求不是很高
3,升级版本
防火墙的配置如下:
ASA Version 7.0(7)
!
hostname ciscoasa
domain-name sinopharmholding.com
enable password <removed>
names
dns-guard
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.8.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif SDH
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address *.*.*.120 255.255.255.240
ospf network point-to-point non-broadcast
ospf authentication null
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
ospf network point-to-point non-broadcast
ospf authentication null
management-only
!
passwd <removed>
ftp mode passive
clock timezone CST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network nonat
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
network-object 138.20.1.0 255.255.255.0
network-object 172.168.72.0 255.255.255.0
network-object 1.1.1.0 255.255.255.252
network-object 197.18.0.0 255.255.0.0
network-object host 192.167.1.3
network-object host 61.129.61.51
network-object host 61.129.61.50
network-object host 61.129.61.63
network-object 192.168.103.0 255.255.255.0
object-group service 115 tcp
port-object eq www
port-object eq smtp
port-object eq ssh
port-object eq pop3
object-group service 116 tcp
port-object eq www
port-object eq ftp
port-object eq ftp-data
port-object eq 10000
object-group service 117 tcp
port-object eq www
object-group service 121 tcp
port-object eq ftp-data
port-object eq ftp
object-group service 114 tcp
port-object eq www
access-list all extended permit ip any any
access-list nonat extended permit ip 172.16.8.0 255.255.255.0 object-group nonat
access-list nonat extended permit ip 168.1.0.0 255.255.255.0 object-group nonat
access-list nonat extended permit ip 172.16.24.0 255.255.255.0 object-group nonat
access-list jituan extended permit ip 172.16.8.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list outside extended permit tcp any host *.*.*.115 object-group 115
access-list outside extended permit tcp any host *.*.*.116 object-group 116
access-list outside extended

最低0.47元/天 解锁文章
net527
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值