Assigning a New Port for H.323 Inspection
Pixfirewall(config)# class-map h323_port
Pixfirewall(config-cmap)# match port tcp eq 1721
Pixfirewall(config-cmap)# exit
Pixfirewall(config)# policy-map voip_map
Pixfirewall(config-pmap)# class h323_port
Pixfirewall(config-pmap-c)# inspect h323
Pixfirewall(config-pmap-c)# exit
Use the no form of this command to disable the inspection of traffic on the indicated port.
An H.323 client might initially establish a TCP connection to an H.323 server using TCP
port 1720 to request Q.931 call setup. The H.323 terminal supplies a port number to the
client to use for an H.245 TCP connection.
The two major functions of H.323 inspection are as follows:
■ Performs NAT on the embedded IP addresses in the H.225 and H.245 messages. In other
words, it translates the H.323 payload to a NAT address. (PIX Firewall uses an ASN.1
decoder to decode the H.323 messages.)
■ Dynamically creates conduits for TCP and UDP channels to allocate the negotiated
H.245 and RTP/RTCP connections.
Each UDP connection with a packet going through H.323 inspection is marked as an H.323
connection and times out with the H.323 timeout as configured by the administrator using
the timeout command. The syntax for the inspect h323 command is as follows:
inspect h323 [h225 | ras]