38-3
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 38 Configuring Inspection for Voice and Video Protocols
H.323 Inspection
H.323 Inspection Overview
H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and
VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication
Union for multimedia conferences over LANs. The adaptive security appliance supports H.323 through
Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the adaptive security appliance supports multiple calls on the same call
signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and
reduces the use of ports on the adaptive security appliance.
The two major functions of H.323 inspection are as follows:
• NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323
messages are encoded in PER encoding format, the adaptive security appliance uses an ASN.1
decoder to decode the H.323 messages.
• Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
How H.323 Works
The H.323 collection of protocols collectively may use up to two TCP connection and four to eight UDP
connections. FastConnect uses only one TCP connection, and RAS uses a single UDP connection for
registration, admissions, and status.
An H.323 client can initially establish a TCP connection to an H.323 server using TCP port 1720 to
request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to
the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the
initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323
terminals are not using FastConnect, the adaptive security appliance dynamically allocates the H.245
connection based on the inspection of the H.225 messages.
Note The H.225 connection can also be dynamically allocated when using RAS.
Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent
UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically
creates connections for the media exchange. RTP uses the negotiated port number, while RTCP uses the
next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the
following ports.
• 1718—Gate Keeper Discovery UDP port
• 1719—RAS UDP port
• 1720—TCP Control Port
You must permit traffic for the well-known H.323 port 1719 for RAS signaling. Additionally, you must
permit traffic for the well-known H.323 port 1720 for the H.225 call signaling; however, the H.245
signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper
is used, the adaptive security appliance opens an H.225 connection based on inspection of the ACF and
RCF nmessages.
To Next Page
Loading...
