Aspf H.323 Application Inspection Configuration Example - HP VSR1000 Security Configuration Manual

ASPF policy configuration:
Policy number: 1
Enable ICMP error message check
Enable TCP SYN packet check
Detect these protocols:
Router A can recognize faked ICMP error messages from external networks, and drop the non-SYN
packets that are the first packets to establish TCP connections.

ASPF H.323 application inspection configuration example

Network requirements
Figure 86 displays a typical H.323 application network. Gateway B on the external network needs to
access the H.323 Gatekeeper, and with the assistance of Gatekeeper, to establish a connection with the
H.323 Gateway A. Other protocol packets from the external network are dropped.
Configure a packet filter on Router A to permit only packets destined to the Gatekeeper. Configure an
ASPF policy on Router A to detect H.323 protocol packets so that return packets to the external network
can be passed through interface GigabitEthernet 1/0.
Figure 86 Network diagram
Configuration procedure
# Create ACL 3200 and configure two rules in the ACL: one to permit packets destined to Gatekeeper
to pass, and one to deny all IP packets.
<RouterA> system-view
[RouterA] acl number 3200
[RouterA-acl-adv-3200] rule 0 permit ip destination 192.168.1.2 0
[RouterA-acl-adv-3200] rule 5 deny ip
[RouterA-acl-adv-3200] quit
# Create ASPF policy 1 for H.323 inspection.
[RouterA] aspf policy 1
[RouterA-aspf-policy-1] detect h323
[RouterA-aspf-policy-1] quit
# Apply ACL 3200 to filter incoming packets on interface GigabitEthernet 1/0.
[RouterA] interface GigabitEthernet1/0
[RouterA-GigabitEthernet1/0] packet-filter 3200 inbound
294