H.323

The H.323 standard stipulates the components, protocols, and procedures that provide multimedia communication services (audio, video, and data) over IP-based networks. Four kinds of H.323 components provide point-to-point and point-to-multipoint multimedia communication services:

Figure 8-7 shows a basic network topology that illustrates the components of H.323.

Figure 8-7. H.323 Components

 

H.323 Protocol Suite

Figure 8-8 illustrates the H.323 protocol suite:

Figure 8-8. H.323 Protocols

In Figure 8-8, the protocols are illustrated in relation to the respective OSI layers.

The H.323 suite of protocols may use up to two TCP connections and four to six UDP connections:

Note

RTP uses the negotiated port number; however, RTCP uses the next higher port number.

The following are the key TCP and UDP ports in H.323 inspection:

H.323 Version Compatibility

Cisco ASA is compatible with H.323 versions 1, 2, 3, and 4. Figure 8-9 and Figure 8-10 show a major difference between older versions of H.323 and H.323v3 and higher.

Figure 8-9. Call Setup Pre-H.323v3

Figure 8-10. H.323v3 Call Setup Features

H.323v3 and higher supports multiple calls on one signaling connection. It accomplishes this by examining the call reference value (CRV) within the Q.931 message, as shown in Figure 8-10. This results in reduced call setup and clearing times.

Enabling H.323 Inspection

To enable H.323 inspection for H.225, use the inspect h323 h225 command. For RAS, use the inspect h323 ras command. Example 8-11 shows both commands.

Example 8-11. H.323 Inspection Commands

policy-map asa_global_fw_policy class inspection_default inspect h323 h225 inspect h323 ras

The Cisco ASA can translate the necessary embedded IP addresses in the H.225 and H.245 packets. It also can translate H.323 connections. It uses an ASN.1 decoder to decode the H.323 Packet Encoding Rules (PER) encoded messages. The Cisco ASA also dynamically allocates the negotiated H.245, RTP, and RTCP sessions.

Additionally, the Cisco ASA analyses the TPDU Packet (TPKT) header to define the length of the H.323 messages. In H.323, Q.931 messages are exchanged over a TCP stream demarcated by TPKT encapsulations. It maintains a data structure for each connection also containing the TPKT length for the following H.323 messages.

Note

Cisco ASA also supports segmented TPKT messages.

 

Direct Call Signaling and Gatekeeper Routed Control Signaling

Two control-signaling methods are defined in the ITU-T H.323 recommendation:

Cisco ASA supports both methods. The Cisco ASA inspects DSC and GKRCS to ensure that the negotiation messages and correct fields are transferred between the respective devices. GKRCS inspection is done when H.323 inspection is enabled in the Cisco ASA. No additional configuration is needed.

Note

The Cisco ASA must see the calling endpoint address within the initial H.225 setup information in order to allow the respective connection.

 

T.38

T.38 is the protocol used with Fax over IP (FoIP). This protocol is part of the ITU-T H.323 VoIP architecture. Cisco ASA supports inspection of this protocol. Because T.38 is a part of the H.323 protocol, inspection will be done if H.323 inspection is enabled on the Cisco ASA. No additional configuration is needed.

Категории