Cisco ASA 5506-X Configuration Manual page 200

H.323 Inspection
The drop-connection keyword drops the packet and closes the connection. This option is available
for called or calling party matching.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server
and/or client. This option is available for called or calling party matching.
Step 5 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
b.
disable the option:
•
•
•
•
•
•
While still in parameter configuration mode, you can configure HSI groups.
Step 6
Define an HSI group and enter HSI group configuration mode.
a.
hostname(config-pmap-p)# hsi-group id
Where id is the HSI group ID. Range is from 0 to 2147483647.
Add an HSI to the HSI group using the IP address. You can add a maximum of five hosts per HSI
b.
group.
hostname(config-h225-map-hsi-grp)# hsi ip_address
Add an endpoint to the HSI group.
c.
hostname(config-h225-map-hsi-grp)# endpoint ip_address if_name
Where ip_address is the endpoint to add and if_name is the interface through which the endpoint is
connected to the ASA. You can add a maximum of ten endpoints per HSI group.
Example
The following example shows how to configure phone number filtering:
hostname(config)# regex caller 1 "5551234567"
hostname(config)# regex caller 2 "5552345678"
Cisco ASA Series Firewall CLI Configuration Guide
8-8
ras-rcf-pinholes enable—Enables call setup between H.323 endpoints. You can enable call
setup between H.323 endpoints when the Gatekeeper is inside the network. Use this option to
open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF)
messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling
endpoint's IP address is unknown and the ASA opens a pinhole through source IP address/port
0/0. By default, this option is disabled.
timeout users time—Sets the H.323 call duration limit (in hh:mm:ss format). To have no
timeout, specify 00:00:00. Range is from 0:0:0 to 1193:0;0.
call-party-number—Enforces sending call party number during call setup.
h245-tunnel-block action {drop-connection | log}—Enforces H.245 tunnel blocking. Specify
whether you want to drop the connection or simply log it.
rtp-conformance [enforce-payloadtype]—Checks RTP packets flowing on the pinholes for
protocol conformance. The optional enforce-payloadtype keyword enforces the payload type
to be audio or video based on the signaling exchange.
state-checking {h225 | ras}—Enables state checking validation. You can enter the command
separately to enable state checking for H.225 and RAS.
Chapter 8 Inspection for Voice and Video Protocols