Cisco ASA 5505 Configuration Manual page 850

H.323 Inspection
After inspecting the H.225 messages, the adaptive security appliance opens the H.245 channel and then
inspects traffic sent over the H.245 channel as well. All H.245 messages passing through the adaptive
security appliance undergo H.245 application inspection, which translates embedded IP addresses and
opens the media channels negotiated in H.245 messages.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not
necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the adaptive security
appliance must remember the TPKT length to process and decode the messages properly. For each
connection, the adaptive security appliance keeps a record that contains the TPKT length for the next
expected message.
If the adaptive security appliance needs to perform NAT on IP addresses in messages, it changes the
checksum, the UUIE length, and the TPKT, if it is included in the TCP packet with the H.225 message.
If the TPKT is sent in a separate TCP packet, the adaptive security appliance proxy ACKs that TPKT
and appends a new TPKT to the H.245 message with the new length.
The adaptive security appliance does not support TCP options in the Proxy ACK for the TPKT.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection
and times out with the H.323 timeout as configured in the Configuration > Firewall > Advanced > Global
Timeouts pane.
You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The
Note
adaptive security appliance includes options to open pinholes for calls based on the
RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages. Because these RRQ/RCF messages
are sent to and from the Gatekeeper, the calling endpoint's IP address is unknown and the adaptive
security appliance opens a pinhole through source IP address/port 0/0. By default, this option is disabled.
H.239 Support in H.245 Messages
The adaptive security appliance sits between two H.323 endpoints. When the two H.323 endpoints set
up a telepresentation session so that the endpoints can send and receive a data presentation, such as
spreadsheet data, the adaptive security appliance ensure successful H.239 negotiation between the
endpoints.
H.239 is a standar that provides the ability for H.300 series endpoints to open an additional video channel
in a single call. In a call, an endpoint (such as a video phone), sends a channel for video and a channel
for data presentation. The H.239 negotiation occurs on the H.245 channel.
The adaptive security appliance opens pinholes for the additional media channel and the media control
channel. The endpoints use open logical channel message (OLC) to signal a new channel creation. The
message extension is part of H.245 version 13.
The decoding and encoding of of the telepresentation session is enabled by default. H.239 encoding and
decoding is preformed by ASN.1 coder.
Limitations and Restrictions
The following are some of the known issues and limitations when using H.323 application inspection:
Cisco ASA 5500 Series Configuration Guide using ASDM
38-4
Chapter 38 Configuring Inspection for Voice and Video Protocols
OL-20339-01