The H.323 standard stipulates the components, protocols, and procedures that provide multimedia communication services (audio, video, and data) over IP-based networks. Four kinds of H.323 components provide point-to-point and point-to-multipoint multimedia communication services:
Figure 8-7 shows a basic network topology that illustrates the components of H.323.
Figure 8-7. H.323 Components
H.323 Protocol Suite
Figure 8-8 illustrates the H.323 protocol suite:
Audio and video components sit on top of the Real-Time Transport Protocol (RTP).
Figure 8-8. H.323 Protocols
In Figure 8-8, the protocols are illustrated in relation to the respective OSI layers.
The H.323 suite of protocols may use up to two TCP connections and four to six UDP connections:
The FastConnect H.323 feature uses only one TCP connection, and RAS uses UDP requests and responses for registration, admissions, and status.
The initial packet is transmitted over UDP if H.323 gatekeepers are used.
RTP uses the negotiated port number; however, RTCP uses the next higher port number.
The following are the key TCP and UDP ports in H.323 inspection:
H.323 Version Compatibility
Cisco ASA is compatible with H.323 versions 1, 2, 3, and 4. Figure 8-9 and Figure 8-10 show a major difference between older versions of H.323 and H.323v3 and higher.
Figure 8-9. Call Setup Pre-H.323v3
Figure 8-10. H.323v3 Call Setup Features
H.323v3 and higher supports multiple calls on one signaling connection. It accomplishes this by examining the call reference value (CRV) within the Q.931 message, as shown in Figure 8-10. This results in reduced call setup and clearing times.
Enabling H.323 Inspection
To enable H.323 inspection for H.225, use the inspect h323 h225 command. For RAS, use the inspect h323 ras command. Example 8-11 shows both commands.
Example 8-11. H.323 Inspection Commands
policy-map asa_global_fw_policy class inspection_default inspect h323 h225 inspect h323 ras
The Cisco ASA can translate the necessary embedded IP addresses in the H.225 and H.245 packets. It also can translate H.323 connections. It uses an ASN.1 decoder to decode the H.323 Packet Encoding Rules (PER) encoded messages. The Cisco ASA also dynamically allocates the negotiated H.245, RTP, and RTCP sessions.
Additionally, the Cisco ASA analyses the TPDU Packet (TPKT) header to define the length of the H.323 messages. In H.323, Q.931 messages are exchanged over a TCP stream demarcated by TPKT encapsulations. It maintains a data structure for each connection also containing the TPKT length for the following H.323 messages.
Cisco ASA also supports segmented TPKT messages.
Direct Call Signaling and Gatekeeper Routed Control Signaling
Two control-signaling methods are defined in the ITU-T H.323 recommendation:
Cisco ASA supports both methods. The Cisco ASA inspects DSC and GKRCS to ensure that the negotiation messages and correct fields are transferred between the respective devices. GKRCS inspection is done when H.323 inspection is enabled in the Cisco ASA. No additional configuration is needed.
The Cisco ASA must see the calling endpoint address within the initial H.225 setup information in order to allow the respective connection.
T.38 is the protocol used with Fax over IP (FoIP). This protocol is part of the ITU-T H.323 VoIP architecture. Cisco ASA supports inspection of this protocol. Because T.38 is a part of the H.323 protocol, inspection will be done if H.323 inspection is enabled on the Cisco ASA. No additional configuration is needed.
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM