Aspf H.323 Application Inspection Configuration Example - HP MSR2000 Configuration Manual

Enable TCP SYN packet check
Detect these protocols:
Router A can recognize the faked ICMP error messages from external networks, and drop the non-SYN
packets that are the first packets over TCP connections.

ASPF H.323 application inspection configuration example

Network requirements
Figure 73 displays a typical H.323 application network. Gateway B on the external network needs to
access the H.323 Gatekeeper, and with the assistance of Gatekeeper, to establish a connection with the
H.323 Gateway A. Other protocol packets from the external network are dropped.
Configure a packet filter on Router A to permit only packets destined to the Gatekeeper, and configure
an ASPF policy on Router A to detect H.323 protocol packets so that response packets to the external
packets can be passed through interface Ethernet 1/0.
Figure 73 Network diagram
Configuration procedure
# Create ACL 3200 and configure two rules in the ACL. One rule permits packets destined to
Gatekeeper to pass, and one rule denies all IP packets.
<RouterA> system-view
[RouterA] acl number 3200
[RouterA-acl-adv-3200] rule 0 permit ip destination 192.168.1.2 0
[RouterA-acl-adv-3200] rule 5 deny ip
[RouterA-acl-adv-3200] quit
# Create ASPF policy 1 for H.323 inspection.
[RouterA] aspf policy 1
[RouterA-aspf-policy-1] detect h323
[RouterA-aspf-policy-1] quit
# Apply ACL 3200 to filter incoming packets on interface Ethernet 1/0.
[RouterA] interface ethernet 1/0
[RouterA-Ethernet1/0] packet-filter 3200 inbound
# Apply ASPF policy 1 to the inbound direction of interface Ethernet 1/0. ASPF creates session entries
for the H.323 connection between internal and external networks and allows the response packets that
match the entries to pass through interface Ethernet 1/0.
253