H.323
The H.323 standard stipulates the components, protocols, and procedures that provide multimedia communication services (audio, video, and data) over IP-based networks. Four kinds of H.323 components provide point-to-point and point-to-multipoint multimedia communication services:
- Terminals Endpoints on the network that provide real-time two-way communications. For example, Cisco IP Phones.
- Gateways Provide translation between circuit-switched networks and packet-based networks, enabling the endpoints to communicate.
- Gatekeepers Responsible for call control and routing services to H.323 endpoints, system management, and some security policies.
- Multipoint control units (MCUs) Maintain all the audio, video, data, and control streams between all the participants in the conference.
Figure 8-7 shows a basic network topology that illustrates the components of H.323.
Figure 8-7. H.323 Components
H.323 Protocol Suite
Figure 8-8 illustrates the H.323 protocol suite:
- The G.7xx components are audio codecs.
- The H.26x components are video codecs. The standard is H.261.
Audio and video components sit on top of the Real-Time Transport Protocol (RTP).
- The T.12x protocols are used in real-time exchange of data. One example is an online whiteboard application.
Figure 8-8. H.323 Protocols
In Figure 8-8, the protocols are illustrated in relation to the respective OSI layers.
The H.323 suite of protocols may use up to two TCP connections and four to six UDP connections:
- RTP uses the Real-Time Transport Control Protocol (RTCP) to control and synchronize streaming audio and video. It allows the application to adapt the flow to specific network conditions.
- Terminals and gatekeepers use Registration, Admission, and Status (RAS) Protocol to exchange information about call registrations, admissions, and terminations. This protocol communicates over UDP.
Note
The FastConnect H.323 feature uses only one TCP connection, and RAS uses UDP requests and responses for registration, admissions, and status.
- H.225 is a protocol used to establish connections between two terminals. It runs over TCP.
- H.245 is a protocol used between two terminals to exchange control messages. These messages include flow control and channel management commands.
- Clients may request a Q.931 call setup over TCP port 1720 to H.323 servers. During the call setup process, the H.323 terminal provides the TCP port number for the client to use for an H.245 connection.
Note
The initial packet is transmitted over UDP if H.323 gatekeepers are used.
- The Cisco ASA can monitor the Q.931 TCP connection to determine the H.245 port number. It dynamically allocates the H.245 connection based on the inspection of the H.225 messages if FastConnect is not used.
- The terminals negotiate the port numbers to be used for subsequent UDP streams within each H.245 message. The Cisco ASA also monitors the H.245 messages to know about these ports and to create the necessary connections.
Note
RTP uses the negotiated port number; however, RTCP uses the next higher port number.
The following are the key TCP and UDP ports in H.323 inspection:
- Gatekeeper discovery UDP port 1718
- RAS UDP port 1719
- Control port TCP port 1720
H.323 Version Compatibility
Cisco ASA is compatible with H.323 versions 1, 2, 3, and 4. Figure 8-9 and Figure 8-10 show a major difference between older versions of H.323 and H.323v3 and higher.
Figure 8-9. Call Setup Pre-H.323v3
Figure 8-10. H.323v3 Call Setup Features
H.323v3 and higher supports multiple calls on one signaling connection. It accomplishes this by examining the call reference value (CRV) within the Q.931 message, as shown in Figure 8-10. This results in reduced call setup and clearing times.
Enabling H.323 Inspection
To enable H.323 inspection for H.225, use the inspect h323 h225 command. For RAS, use the inspect h323 ras command. Example 8-11 shows both commands.
Example 8-11. H.323 Inspection Commands
policy-map asa_global_fw_policy class inspection_default inspect h323 h225 inspect h323 ras
The Cisco ASA can translate the necessary embedded IP addresses in the H.225 and H.245 packets. It also can translate H.323 connections. It uses an ASN.1 decoder to decode the H.323 Packet Encoding Rules (PER) encoded messages. The Cisco ASA also dynamically allocates the negotiated H.245, RTP, and RTCP sessions.
Additionally, the Cisco ASA analyses the TPDU Packet (TPKT) header to define the length of the H.323 messages. In H.323, Q.931 messages are exchanged over a TCP stream demarcated by TPKT encapsulations. It maintains a data structure for each connection also containing the TPKT length for the following H.323 messages.
Note
Cisco ASA also supports segmented TPKT messages.
Direct Call Signaling and Gatekeeper Routed Control Signaling
Two control-signaling methods are defined in the ITU-T H.323 recommendation:
- Direct Call Signaling (DCS)
- Gatekeeper Routed Control Signaling (GKRCS)
Cisco ASA supports both methods. The Cisco ASA inspects DSC and GKRCS to ensure that the negotiation messages and correct fields are transferred between the respective devices. GKRCS inspection is done when H.323 inspection is enabled in the Cisco ASA. No additional configuration is needed.
Note
The Cisco ASA must see the calling endpoint address within the initial H.225 setup information in order to allow the respective connection.
T.38
T.38 is the protocol used with Fax over IP (FoIP). This protocol is part of the ITU-T H.323 VoIP architecture. Cisco ASA supports inspection of this protocol. Because T.38 is a part of the H.323 protocol, inspection will be done if H.323 inspection is enabled on the Cisco ASA. No additional configuration is needed.