14-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 14 Inspection for Voice and Video Protocols
H.323 Inspection
UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23
timeout 0:04:10
The
show conn state ctiqbe
command
displays the status of CTIQBE connections. In the output, the
media connections allocated by the CTIQBE inspection engine are denoted by a ‘C’ flag. The following
is sample output from the
show conn state ctiqbe
command:
hostname#
show conn state ctiqbe
1 in use, 10 most used
hostname#
show conn state ctiqbe detail
1 in use, 10 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,
M - SMTP data, m - SIP media, O - outbound data, P - inside back connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
H.323 Inspection
The following sections describe the H.323 application inspection.
•
H.323 Inspection Overview, page 14-3
•
•
H.239 Support in H.245 Messages, page 14-5
•
Limitations for H.323 Inspection, page 14-5
•
Configure H.323 Inspection, page 14-6
•
Configuring H.323 and H.225 Timeout Values, page 14-10
•
Verifying and Monitoring H.323 Inspection, page 14-10
H.323 Inspection Overview
H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and
VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication
Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including
H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the ASA supports multiple calls on the same call signaling channel, a
feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports
on the ASA.
The two major functions of H.323 inspection are as follows:
•
NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323
messages are encoded in PER encoding format, the ASA uses
an ASN.1 decoder to decode the
H.323 messages.
•
Dynamically allocate the negotiated H.245 and RTP/RTCP connections. The H.225 connection can
also be dynamically allocated when using RAS.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......