Limitations And Restrictions; Configuring An H.323 Inspection Policy Map For Additional Inspection Control - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not
necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the security appliance
must remember the TPKT length to process and decode the messages properly. For each connection, the
security appliance keeps a record that contains the TPKT length for the next expected message.
If the security appliance needs to perform NAT on IP addresses in messages, it changes the checksum,
the UUIE length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT
is sent in a separate TCP packet, the security appliance proxy ACKs that TPKT and appends a new TPKT
to the H.245 message with the new length.
The security appliance does not support TCP options in the Proxy ACK for the TPKT.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection
and times out with the H.323 timeout as configured with the timeout command.
Limitations and Restrictions
The following are some of the known issues and limitations when using H.323 application inspection:
•
•
•
•
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an H.323 inspection policy map. You can
then apply the inspection policy map when you enable H.323 inspection according to the
Application Inspection" section on page
To create an H.323 inspection policy map, perform the following steps:
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
Step 1
"Creating a Regular Expression" section on page
commands described in
(Optional) Create one or more regular expression class maps to group regular expressions according to
Step 2
the
(Optional) Create an H.323 inspection class map by performing the following steps.
Step 3
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map. You can alternatively identify match commands directly in the policy map. The difference
between creating a class map and defining the traffic match directly in the inspection policy map is that
the class map lets you create more complex match criteria, and you can reuse class maps.
OL-12172-03
Static PAT may not properly translate IP addresses embedded in optional fields within H.323
messages. If you experience this kind of problem, do not use static PAT with H.323.
H.323 application inspection is not supported with NAT between same-security-level interfaces.
When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that
is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in
either direction. This problem is unrelated to the security appliance.
If you configure a network static address where the network static address is the same as a
third-party netmask and address, then any outbound H.323 connection fails.
Step
3.
"Creating a Regular Expression Class Map" section on page
25-5.
21-6. See the types of text you can match in the match
21-9.s
Cisco Security Appliance Command Line Configuration Guide
H.323 Inspection
"Configuring
25-39
Advertisement
Table of Contents
Troubleshooting
