The H.323 standard stipulates the components, protocols, and procedures that provide multimedia communication services (audio, video, and data) over IP-based networks. Four kinds of H.323 components provide point-to-point and point-to-multipoint multimedia communication services:

  • Terminals Endpoints on the network that provide real-time two-way communications. For example, Cisco IP Phones.
  • Gateways Provide translation between circuit-switched networks and packet-based networks, enabling the endpoints to communicate.
  • Gatekeepers Responsible for call control and routing services to H.323 endpoints, system management, and some security policies.
  • Multipoint control units (MCUs) Maintain all the audio, video, data, and control streams between all the participants in the conference.

Figure 8-7 shows a basic network topology that illustrates the components of H.323.

Figure 8-7. H.323 Components


H.323 Protocol Suite

Figure 8-8 illustrates the H.323 protocol suite:

  • The G.7xx components are audio codecs.
  • The H.26x components are video codecs. The standard is H.261.

    Audio and video components sit on top of the Real-Time Transport Protocol (RTP).

  • The T.12x protocols are used in real-time exchange of data. One example is an online whiteboard application.

Figure 8-8. H.323 Protocols

In Figure 8-8, the protocols are illustrated in relation to the respective OSI layers.

The H.323 suite of protocols may use up to two TCP connections and four to six UDP connections:

  • RTP uses the Real-Time Transport Control Protocol (RTCP) to control and synchronize streaming audio and video. It allows the application to adapt the flow to specific network conditions.
  • Terminals and gatekeepers use Registration, Admission, and Status (RAS) Protocol to exchange information about call registrations, admissions, and terminations. This protocol communicates over UDP.


    The FastConnect H.323 feature uses only one TCP connection, and RAS uses UDP requests and responses for registration, admissions, and status.

  • H.225 is a protocol used to establish connections between two terminals. It runs over TCP.
  • H.245 is a protocol used between two terminals to exchange control messages. These messages include flow control and channel management commands.
  • Clients may request a Q.931 call setup over TCP port 1720 to H.323 servers. During the call setup process, the H.323 terminal provides the TCP port number for the client to use for an H.245 connection.


    The initial packet is transmitted over UDP if H.323 gatekeepers are used.

  • The Cisco ASA can monitor the Q.931 TCP connection to determine the H.245 port number. It dynamically allocates the H.245 connection based on the inspection of the H.225 messages if FastConnect is not used.
  • The terminals negotiate the port numbers to be used for subsequent UDP streams within each H.245 message. The Cisco ASA also monitors the H.245 messages to know about these ports and to create the necessary connections.


RTP uses the negotiated port number; however, RTCP uses the next higher port number.

The following are the key TCP and UDP ports in H.323 inspection:

  • Gatekeeper discovery UDP port 1718
  • RAS UDP port 1719
  • Control port TCP port 1720

H.323 Version Compatibility

Cisco ASA is compatible with H.323 versions 1, 2, 3, and 4. Figure 8-9 and Figure 8-10 show a major difference between older versions of H.323 and H.323v3 and higher.

Figure 8-9. Call Setup Pre-H.323v3

Figure 8-10. H.323v3 Call Setup Features

H.323v3 and higher supports multiple calls on one signaling connection. It accomplishes this by examining the call reference value (CRV) within the Q.931 message, as shown in Figure 8-10. This results in reduced call setup and clearing times.

Enabling H.323 Inspection

To enable H.323 inspection for H.225, use the inspect h323 h225 command. For RAS, use the inspect h323 ras command. Example 8-11 shows both commands.

Example 8-11. H.323 Inspection Commands

policy-map asa_global_fw_policy

 class inspection_default

 inspect h323 h225

 inspect h323 ras

The Cisco ASA can translate the necessary embedded IP addresses in the H.225 and H.245 packets. It also can translate H.323 connections. It uses an ASN.1 decoder to decode the H.323 Packet Encoding Rules (PER) encoded messages. The Cisco ASA also dynamically allocates the negotiated H.245, RTP, and RTCP sessions.

Additionally, the Cisco ASA analyses the TPDU Packet (TPKT) header to define the length of the H.323 messages. In H.323, Q.931 messages are exchanged over a TCP stream demarcated by TPKT encapsulations. It maintains a data structure for each connection also containing the TPKT length for the following H.323 messages.


Cisco ASA also supports segmented TPKT messages.


Direct Call Signaling and Gatekeeper Routed Control Signaling

Two control-signaling methods are defined in the ITU-T H.323 recommendation:

  • Direct Call Signaling (DCS)
  • Gatekeeper Routed Control Signaling (GKRCS)

Cisco ASA supports both methods. The Cisco ASA inspects DSC and GKRCS to ensure that the negotiation messages and correct fields are transferred between the respective devices. GKRCS inspection is done when H.323 inspection is enabled in the Cisco ASA. No additional configuration is needed.


The Cisco ASA must see the calling endpoint address within the initial H.225 setup information in order to allow the respective connection.



T.38 is the protocol used with Fax over IP (FoIP). This protocol is part of the ITU-T H.323 VoIP architecture. Cisco ASA supports inspection of this protocol. Because T.38 is a part of the H.323 protocol, inspection will be done if H.323 inspection is enabled on the Cisco ASA. No additional configuration is needed.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net