All Cisco-Network Study Notes: H.323 and Related Applications

H.323 and Related Applications

Voice over IP, or VoIP (including H.323 agreement set, SCCP, SIP, and others), is a

real daydream from both NAT and admission ascendancy perspectives.VoIP applications

use not one but abounding access amid the server and the client, initiate

them in both directions, about-face these connections, and bury abode and port

information in high layers of advice that firewalls about do not

inspect. Actuality we attending at assorted VoIP protocols and the amount to which they are

supported by PIX appliance analysis features.All VoIP systems use two or

three layers of appliance protocols, abounding protocols at the aforementioned time:

Signaling protocols (for arrangement ascendancy and user information

exchange) SIP, MGCP, H.225 and RAS in H.323, SCCP.

Protocols for capabilities barter SDP, H.245.

Audio/media protocols (used for carrying accent and video)

RTP/RTCP.

H.323 can use up to two TCP access and up to six UDP connections

for a distinct call. Most of these are adjourned dynamically and do not use fixed

ports. A basal H.323 alarm has the afterward sequence:

1. H.225 is acclimated to admit and abolish sessions amid alien points

(at atomic this affiliation has a anchored anchorage number—TCP anchorage 1720 by

default). H.225 uses Registration, Admission and Status (RAS) protocol

for assertive allotment appearance (UDP ports 1718 and 1719).

2. During this process, a anchorage for H.245 affiliation is negotiated.

3. The H.245 affiliation is acclimated for negotiating anchorage numbers for

RTP/RTCP datastreams. (These ports can change during the alarm flow.)

H.323 adaptation 2 provides a Fast Connect process, which, if used, eliminates

the added affiliation of H.245. H.245 messages, including RTP anchorage negotiation,

are transmitted over the aforementioned approach as antecedent H.225 connection.

NOTE

Support for H.323 adaptation 2 was alien in PIX firewall software

version 5.3.

www.syngress.com

160 Chapter 4 • Advanced PIX Configurations

As with added appliance protocols, the PIX has the adeptness to audit the

negotiation action (for H.225, RAS, and H.245), bethink the ports required

for affiliation amid parties, and accomplish NAT or PAT on the abstracts allocation of

the packet.The two commands for authoritative H.323 appliance analysis are:

[no] fixup agreement h323 h225 [[-]]

[no] fixup agreement h323 ras [[-]]

The aboriginal command is acclimated for configuring ports that are monitored for

H.225 letters (mainly for H.245 anchorage negotiation), and the additional is for ports

on which RAS letters are intercepted.The absence settings are:

fixup agreement h323 h225 1720

fixup agreement h323 ras 1718-1719

In PIX terms,“H.323 agreement inspection” agency analysis of all protocols

used in H.323 VoIP calls.The analysis of H.323 v2 was aboriginal implemented in

PIX adaptation 5.3.This was mainly the abutment of H.225 and H.245 inspection,

including changeless or activating NAT on packet contents. RAS abutment was introduced

in PIX firewall software adaptation 6.2.This adaptation additionally adds PAT support.

Two above tasks performed by the PIX are:

Monitoring and acclimation of IP addresses and ports anchored in H.225,

H.245, and RAS messages.These letters are encoded in PER format,

so ASN.1 decoder is acclimated internally.

Opening the access appropriate for accustomed operations based on the

preceding information.

Note that the aboriginal assignment is performed accurately alike if letters are breach into

two or added packets—they are absolutely about breach in two packets, the first

being a alleged TPKT header.When the PIX receives such a packet, it stores

the advice in an centralized table, proxy ACKs this packet to the sender, and

after accepting the abutting packet with IP abode information, modifies necessary

fields and sends out the adapted bulletin calm with the new TPKT header.

The PIX proxy affection does not abutment TCP options in the TPKT header.

UDP datastream access are bankrupt afterwards the abeyance period.This works

in the aforementioned way as with accepted UDP packets, but you can use the following

command to configure the abeyance for datastreams alone from the general

timeout:

timeout h323

www.syngress.com

Advanced PIX Configurations • Chapter 4 161

The absence abeyance is 5 account (this is the basal setting), which is

equivalent to:

PIX1(config)# abeyance h323 O:5:0

NOTE

When RAS and gatekeepers are used, the antecedent bureaucracy is different. The

client aboriginal sends an “Admission Request” (ARQ) UDP message, and the

gatekeeper replies with an “Admission Confirmation” (ACF) bulletin and

provides the IP abode and anchorage cardinal for a H.225 connection. There

is no charge to admittance entering cartage over anchorage 1720 in this case; the PIX

will accessible the all-important anchorage based on analysis of the ACF message.

Without gatekeepers, you charge to accredit admission cartage to H.225 ports

(1720 by default).

Besides hardware-based VoIP solutions, the H.323 set of protocols is additionally used

by Intel Internet Phone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, and

Microsoft NetMeeting.

CU-SeeMe is able to assignment in two altered modes: H.323-compliant and

native mode. Built-in approach is acclimated back abutting to addition CU-SeeMe

client or CU-SeeMe appointment server.The capital aberration actuality is that it uses

a built-in ascendancy beck on UDP anchorage 7648.The PIX performs analysis and

NAT on this stream. CU-SeeMe abutment (other than abutment for H.323) is not

configurable.