Limitations And Restrictions - Cisco FirePOWER ASA 5500 series Configuration Manual

H.323 Inspection
•
You must permit traffic for the well-known H.323 port 1720 for the H.225 call signaling; however, the
H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323
gatekeeper is used, the security appliance opens an H.225 connection based on inspection of the ACF
message.
After inspecting the H.225 messages, the security appliance opens the H.245 channel and then inspects
traffic sent over the H.245 channel as well. All H.245 messages passing through the security appliance
undergo H.245 application inspection, which translates embedded IP addresses and opens the media
channels negotiated in H.245 messages.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not
necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the security appliance
must remember the TPKT length to process and decode the messages properly. For each connection, the
security appliance keeps a record that contains the TPKT length for the next expected message.
If the security appliance needs to perform NAT on IP addresses in messages, it changes the checksum,
the UUIE length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT
is sent in a separate TCP packet, the security appliance proxy ACKs that TPKT and appends a new TPKT
to the H.245 message with the new length.
The security appliance does not support TCP options in the Proxy ACK for the TPKT.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection
and times out with the H.323 timeout as configured with the timeout command.

Limitations and Restrictions

The following are some of the known issues and limitations when using H.323 application inspection:
•
•
•
•
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an H.323 inspection policy map. You can
then apply the inspection policy map when you enable H.323 inspection according to the
Application Inspection" section on page
Cisco Security Appliance Command Line Configuration Guide
25-38
1720—TCP Control Port
Static PAT may not properly translate IP addresses embedded in optional fields within H.323
messages. If you experience this kind of problem, do not use static PAT with H.323.
H.323 application inspection is not supported with NAT between same-security-level interfaces.
When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway
that is also registered with the H.323 gatekeeper, the connection is established but no voice is heard
in either direction. This problem is unrelated to the security appliance.
If you configure a network static address where the network static address is the same as a
third-party netmask and address, then any outbound H.323 connection fails.
Chapter 25 Configuring Application Layer Protocol Inspection
25-5.
"Configuring
OL-10088-01