视频会议流量 穿越ASA 问题 [EVE兄分享经验 - established命令]
==========================================================
问题描述:
配置说明
用户总部有视频会议server,中间连有ASA,ASA的outside接口连接7206,然后7206通过SDH连接到其他分部,ASA跑路由模式, 版本7.0(6),默认inspect H323和rtsp是打开的,inside用户和分布2821后的网络通信,做的是bypass nat也就是nat (inside) 0 access-list nonat这种方式,这样inside后的网段和分部后的网段通信就不会做NAT了,同时不会产生xlate表,还写了access-list out permit ip any any应用到outside接口的in方向
拓扑
视频会议server---------inside-ASA-outside-----7206-------------2821-------视频会议server
SDH 分布路由器
故障现象:
iniside的视频会议server去拨分部的视频会议server可以拨通,但是视频时断时续,声音也差不多.
分部的视频会议server完全拨不进inside后的视频会议server
sh h323可以看到两个终端的地址,请教高手们该如何处理,本人有以下几种方案不知是否可行
1,用established命令对tcp 1720进行放行回来的udp range 16383-16384,同时打开inspect XDMCP
2,关闭inspect H323,干脆手动放开tcp 1720和udp ,由于用户outside连的SDH连路安全性要求不是很高
3,升级版本
防火墙的配置如下:
ASA Version 7.0(7)
!
hostname ciscoasa
domain-name sinopharmholding.com
enable password <removed>
names
dns-guard
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.8.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif SDH
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address *.*.*.120 255.255.255.240
ospf network point-to-point non-broadcast
ospf authentication null
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
ospf network point-to-point non-broadcast
ospf authentication null
management-only
!
passwd <removed>
ftp mode passive
clock timezone CST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network nonat
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
network-object 138.20.1.0 255.255.255.0
network-object 172.168.72.0 255.255.255.0
network-object 1.1.1.0 255.255.255.252
network-object 197.18.0.0 255.255.0.0
network-object host 192.167.1.3
network-object host 61.129.61.51
network-object host 61.129.61.50
network-object host 61.129.61.63
network-object 192.168.103.0 255.255.255.0
object-group service 115 tcp
port-object eq www
port-object eq smtp
port-object eq ssh
port-object eq pop3
object-group service 116 tcp
port-object eq www
port-object eq ftp
port-object eq ftp-data
port-object eq 10000
object-group service 117 tcp
port-object eq www
object-group service 121 tcp
port-object eq ftp-data
port-object eq ftp
object-group service 114 tcp
port-object eq www
access-list all extended permit ip any any
access-list nonat extended permit ip 172.16.8.0 255.255.255.0 object-group nonat
access-list nonat extended permit ip 168.1.0.0 255.255.255.0 object-group nonat
access-list nonat extended permit ip 172.16.24.0 255.255.255.0 object-group nonat
access-list jituan extended permit ip 172.16.8.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list outside extended permit tcp any host *.*.*.115 object-group 115
access-list outside extended permit tcp any host *.*.*.116 object-group 116
access-list outside extended