14-4
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 14      Inspection for Voice and Video Protocols
  H.323 Inspection
How H.323 Works
The H.323 collection of protocols collectively may use up to two TCP connection and four to eight UDP 
connections. FastConnect uses only one TCP connection, and RAS uses a single UDP connection for 
registration, admissions, and status.
An H.323 client can initially establish a TCP connection to an H.323 server using TCP port 1720 to 
request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to 
the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the 
initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 
terminals are not using FastConnect, the ASA dynamically allocates the H.245 connection based on the 
inspection of the H.225 messages.
Note The H.225 connection can also be dynamically allocated when using RAS. 
Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent 
UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically 
creates connections for the media exchange. RTP uses the negotiated port number, while RTCP uses the 
next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the 
following ports.
• 1718—Gate Keeper Discovery UDP port
• 1719—RAS UDP port 
• 1720—TCP Control Port 
You must permit traffic for the well-known H.323 port 1719 for RAS signaling. Additionally, you must 
permit traffic for the well-known H.323 port 1720 for the H.225 call signaling; however, the H.245 
signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper 
is used, the ASA opens an H.225 connection based on inspection of the ACF and RCF messages.
After inspecting the H.225 messages, the ASA opens the H.245 channel and then inspects traffic sent 
over the H.245 channel as well. All H.245 messages passing through the ASA undergo H.245 application 
inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 
messages.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the 
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not 
necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the ASA must 
remember the TPKT length to process and decode the messages properly. For each connection, the ASA 
keeps a record that contains the TPKT length for the next expected message.
If the ASA needs to perform NAT on IP addresses in messages, it changes the checksum, the UUIE 
length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT is sent in 
a separate TCP packet, the ASA proxy ACKs that TPKT and appends a new TPKT to the H.245 message 
with the new length.
Note The ASA does not support TCP options in the Proxy ACK for the TPKT.
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection 
and times out with the H.323 timeout as configured with the timeout command.