Cisco Catalyst 6500 Series Configuration Manual page 257
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 13
Configuring Application Protocol Inspection
The H.323 control channel handles H.225 and H.245 and H.323 RAS. The H.323 inspection engine uses
the following ports:
1718—Gate Keeper Discovery UDP port
•
1719—RAS UDP port
•
1720—TCP Control Port
•
The two major functions of the H.323 inspection engine are as follows:
NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323
•
messages are encoded in PER encoding format, FWSM uses an ASN.1 decoder to decode the H.323
messages. The H.323 inspection engine supports static NAT and dynamic NAT. It does not support
NAT on same security interfaces or outside NAT.
Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
•
The FWSM administrator must configure an access control list (ACL) for the well-known H.323 port
1720 for the H.225 call signaling. However, the H.245 signaling ports are negotiated between the
endpoints in the H.225 signaling.
When an H.323 gatekeeper is used, the FWSM opens an H.225 connection based on inspection of the
Note
AdmissionConfirm (ACF) message.
The FWSM dynamically allocates the H.245 channel after inspecting the H.225 messages and then
"hooks up" the H.245 channel to be fixed up as well. That means whatever H.245 messages pass through
the FWSM are passed through the H.245 inspection engine, NATing embedded IP addresses and opening
the negotiated media channels.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not
necessarily need to be sent in the same TCP packet as the H.225/H.245 message, the FWSM must
remember the TPKT length to process/decode the messages properly. FWSM keeps a data structure for
each connection and that data structure contains the TPKT length for the next expected message.
If the FWSM needs to NAT any IP addresses, then it will have to change the checksum, the UUIE
(user-user information element) length, and the TPKT, if included in the TCP packet with the H.225
message. If the TPKT is sent in a separate TCP packet, then the FWSM will proxy ACK that TPKT and
append a new TPKT to the H.245 message with the new length.
The FWSM does not support TCP options in the Proxy ACK for the TPKT.
Note
Each UDP connection with a packet going through the H.323 inspection engine is marked as an H.323
connection and will time out with the H.323 timeout as configured by the administrator using the
timeout command.
OL-6392-01
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Detailed Information About Inspection Engines
13-9
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series