Limitations And Restrictions - Cisco 7604 Configuration Manual

Chapter 22 Applying Application Layer Protocol Inspection
•
You must permit traffic for the well-known H.323 port 1720 for the H.225 call signaling; however, the
H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323
gatekeeper is used, the FWSM opens an H.225 connection based on inspection of the ACF message.
After inspecting the H.225 messages, the FWSM opens the H.245 channel and then inspects traffic sent
over the H.245 channel as well. All H.245 messages passing through the FWSM undergo H.245
application inspection, which NATs embedded IP addresses and opens the media channels negotiated in
H.245 messages.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the
H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not
necessarily need to be sent in the same TCP packet as H.225 and H.245 messages, the FWSM must
remember the TPKT length to process and decode the messages properly. For each connection, the
FWSM keeps a record that contains the TPKT length for the next expected message.
If the FWSM needs to perform NAT on IP addresses in messages, it changes the checksum, the UUIE
length, and the TPKT, if it is included in the TCP packet with the H.225 message. If the TPKT is sent in
a separate TCP packet, the FWSM proxy ACKs that TPKT and appends a new TPKT to the H.245
message with the new length.
The FWSM does not support TCP options in the Proxy ACK for the TPKT.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection
and times out with the H.323 timeout as configured with the timeout command.

Limitations and Restrictions

Some of the known issues and limitations of H.323 application inspection are as follows:
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
TCP port 1720—Control Port
Static PAT may not properly translate IP addresses embedded in optional fields within H.323
messages. If you experience this kind of problem, do not use static PAT with H.323.
When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that
is also registered with the H.323 gatekeeper, the connection is established but no voice is heard in
either direction. This problem is unrelated to the FWSM.
If you configure a network static address where the network static address is the same as a
third-party netmask and address, then any outbound H.323 connection fails.
Dynamic NAT (PAT) is not supported for H.323-GUP inspection.
H.323 Inspection
22-49