13-9
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
The H.323 control channel handles H.225 and H.245 and H.323 RAS. The H.323 inspection engine uses
the following ports:
• 1718—Gate Keeper Discovery UDP port
• 1719—RAS UDP port
• 1720—TCP Control Port
The two major functions of the H.323 inspection engine are as follows:
• NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323
messages are encoded in PER encoding format, FWSM uses
an ASN.1 decoder to decode the H.323
messages. The H.323 inspection engine supports static NAT and dynamic NAT. It does not support
NAT on same security interfaces or outside NAT.
• Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
The FWSM administrator must configure an access control list (ACL) for the well-known H.323 port
1720 for the H.225 call signaling. However, the H.245 signaling ports are negotiated between the
endpoints in the H.225 signaling.
Note When an H.323 gatekeeper is used, the FWSM opens an H.225 connection based on inspection of the
AdmissionConfirm (ACF) message.
The FWSM dynamically allocates the H.245 channel after inspecting the H.225 messages and then
“hooks up” the H.245 channel to be fixed up as well. That means whatever H.245 messages pass through
the FWSM are passed through the H.245 inspection engine, NATing embedded IP addresses and opening
the negotiated media channels.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not
necessarily need to be sent in the same TCP packet as the H.225/H.245 message, the FWSM must
remember the TPKT length to process/decode the messages properly. FWSM keeps a data structure for
each connection and that data structure contains the TPKT length for the next expected message.
If the FWSM needs to NAT any IP addresses, then it will have to change the checksum, the UUIE
(user-user information element) length, and the TPKT, if included in the TCP packet with the H.225
message. If the TPKT is sent in a separate TCP packet, then the FWSM will proxy ACK that TPKT and
append a new TPKT to the H.245 message with the new length.
Note The FWSM does not support TCP options in the Proxy ACK for the TPKT.
Each UDP connection with a packet going through the H.323 inspection engine is marked as an H.323
connection and will time out with the H.323 timeout as configured by the administrator using the
timeout command.
To Next Page
Loading...
Need help?
General