Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
ALG—H.323 vTCP with High Availability Support for Firewall and NAT
Downloads: This chapterpdf (PDF - 1.32MB) The complete bookPDF (PDF - 6.32MB) | The complete bookePub (ePub - 1.19MB) | Feedback

ALG—H.323 vTCP with High Availability Support for Firewall and NAT

Contents

ALG—H.323 vTCP with High Availability Support for Firewall and NAT

The ALG—H.323 vTCP with High Availability Support for Firewall and NAT feature enhances the H.323 application-level gateway (ALG) to support a TCP segment that is not a single H.323 message. Virtual TCP (vTCP) supports TCP segment reassembly. Prior to this introduction of the feature, the H.323 ALG processed a TCP segment only if it was a complete H.323 message. If the TCP segment was more than one message, the H.323 ALG ignored the TCP segment and the packet was passed without processing.

This module describes how to configure the ALG—H.323 vTCP with high availability (HA) support for firewalls.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for ALG—H.323 vTCP with High Availability Support for Firewall and NAT

  • When an incoming TCP segment is not a complete H.323 message, the H.323 ALG buffers the TCP segment while waiting for the rest of the message. The buffered data is not synchronized to the standby device for high availability (HA).
  • The performance of the H.323 ALG may get impacted when vTCP starts to buffer data.

Information About ALG—H.323 vTCP with High Availability Support for Firewall and NAT

Application-Level Gateways

An application-level gateway (ALG), also known as an application-layer gateway, is an application that translates the IP address information inside the payload of an application packet. An ALG is used to interpret the application-layer protocol and perform firewall and Network Address Translation (NAT) actions. These actions can be one or more of the following depending on your configuration of the firewall and NAT:
  • Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
  • Recognize application-specific commands and offer granular security control over them.
  • Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
  • Translate the network-layer address information that is available in the application payload.

The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.

Basic H.323 ALG Support

H.323 is a recommendation published by the ITU-T defining a series of network elements and protocols for multimedia transmission through packet-based networks. H.323 defines a number of network elements used in multimedia transmission.

Although most H.323 implementations today utilize TCP as the transport mechanism for signaling, H.323 Version 2 enables basic UDP transport.

  • H.323 Terminal—This element is an endpoint in the network, providing two-way communication with another H.323 terminal or gateway.
  • H.323 Gateway—This element provides protocol conversion between H.323 terminals and other terminals that do not support H.323.
  • H.323 Gatekeeper—This element provides services like address translation, network access control, and bandwidth management and account for H.323 terminals and gateways.

The following core protocols are described by the H.323 specification:

  • H.225—This protocol describes call signaling methods used between any two H.323 entities to establish communication.
  • H.225 Registration, Admission, and Status (RAS)—This protocol is used by the H.323 endpoint and gateway for address resolution and admission control services.
  • H.245—This protocol is used for exchanging the capabilities of multimedia communication and for the opening and closing of logical channels for audio, video, and data.

In addition to the protocols listed, the H.323 specification describes the use of various IETF protocols like the Real Time Transport (RTP) protocol and audio (G.711, G.729, and so on) and video (H.261, H.263, and H.264) codecs.

NAT requires a variety of ALGs to handle Layer 7 protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels. The H.323 ALG performs these specific services for H.323 messages.

Overview of vTCP for ALG Support

When a Layer 7 protocol uses TCP for transportation, the TCP payload can be segmented due to various reasons, such as application design, maximum segment size (MSS), TCP window size, and so on. The application-level gateways (ALGs) that the firewall and NAT support do not have the capability to recognize TCP fragments for packet inspection. vTCP is a general framework that ALGs use to understand TCP segments and to parse the TCP payload.

vTCP helps applications like NAT and Session Initiation Protocol (SIP) that require the entire TCP payload to rewrite the embedded data. The firewall uses vTCP to help ALGs support data splitting between packets.

When you configure firewall and NAT ALGs, the vTCP functionality is activated.

vTCP currently supports Real Time Streaming Protocol (RTSP) and DNS ALGs.

TCP Acknowledgment and Reliable Transmission

Because vTCP resides between two TCP hosts, a buffer space is required to store TCP segments temporarily, before they are sent to other hosts. vTCP ensures that data transmission occurs properly between hosts. vTCP sends a TCP acknowledgment (ACK) to the sending host if vTCP requires more data for data transmission. vTCP also keeps track of the ACKs sent by the receiving host from the beginning of the TCP flow to closely monitor the acknowledged data.

vTCP reassembles TCP segments. The IP header and the TCP header information of the incoming segments are saved in the vTCP buffer for reliable transmission.

vTCP can make minor changes in the length of outgoing segments for NAT-enabled applications. vTCP can either squeeze the additional length of data to the last segment or create a new segment to carry the extra data. The IP header or the TCP header content of the newly created segment is derived from the original incoming segment. The total length of the IP header and the TCP header sequence numbers are adjusted accordingly.

vTCP with NAT and Firewall ALGs

ALG is a subcomponent of NAT and the firewall. Both NAT and the firewall have a framework to dynamically couple their ALGs. When the firewall performs a Layer 7 inspection or NAT performs a Layer 7 fix-up, the parser function registered by the ALGs is called and ALGs take over the packet inspection. vTCP mediates between NAT and the firewall and the ALGs that use these applications. In other words, packets are first processed by vTCP and then passed on to ALGs. vTCP reassembles the TCP segments in both directions within a TCP connection.

Overview of ALG—H.323 vTCP with High Availability Support

The ALG-H.323 vTCP with High Availability Support for Firewall and NAT feature enhances the H.323 application-level gateway (ALG) to support a TCP segment that is not a single H.323 message. After the H.323 ALG is coupled with vTCP, the firewall and NAT interact with the H.323 ALG through vTCP. When vTCP starts to buffer data, the high availability (HA) function is impacted, because vTCP cannot synchronize the buffered data to a standby device. If the switchover to the standby device happens when vTCP is buffering data, the connection may be reset if the buffered data is not synchronized to the standby device. After the buffered data is acknowledged by vTCP, the data is lost and the connection is reset. The firewall and NAT synchronize the data for HA. vTCP only synchronizes the status of the current connection to the standby device, and in case of errors, the connection is reset.

How to Configure ALG—H.323 vTCP with High Availability Support for Firewall and NAT

Configuring ALG—H.323 vTCP with High Availability Support for Firewalls

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    class-map type inspect match-any class-map-name

    4.    match protocol protocol-name

    5.    match protocol protocol-name

    6.    exit

    7.    policy-map type inspect policy-map-name

    8.    class type inspect class-map-name

    9.    inspect

    10.    exit

    11.    class class-default

    12.    exit

    13.    zone security zone-name

    14.    exit

    15.    zone-pair security zone-pair-name source source-zone destination destination-zone

    16.    service-policy type inspect policy-map-name

    17.    exit

    18.    interface type number

    19.    zone member security zone-name

    20.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable 
     
    Enables privileged EXEC mode
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal 
     

    Enters global configuration mode.

     
    Step 3 class-map type inspect match-any class-map-name


    Example:
    Device(config)# class-map type inspect match-any h.323-class 
     

    Creates an inspect type class map and enters QoS class-map configuration mode.

     
    Step 4 match protocol protocol-name


    Example:
    Device(config-cmap)# match protocol h323 
     

    Configures the match criteria for a class map on the basis of the named protocol.

     
    Step 5 match protocol protocol-name


    Example:
    Device(config-cmap)# match protocol h323ras 
     

    Configures the match criteria for a class map on the basis of the named protocol.

     
    Step 6 exit


    Example:
    Device(config-cmap)# exit 
     

    Exits QoS class-map configuration mode and enters global configuration mode.

     
    Step 7 policy-map type inspect policy-map-name


    Example:
    Device(config)# policy-map type inspect h.323-policy 
     

    Creates an inspect type policy map and enters QoS policy-map configuration mode.

     
    Step 8 class type inspect class-map-name


    Example:
    Device(config-pmap)# class type inspect h.323-class 
     

    Specifies the class on which the action is performed and enters QoS policy-map class configuration mode.

     
    Step 9 inspect


    Example:
    Device(config-pmap-c)# inspect 
     

    Enables stateful packet inspection.

     
    Step 10 exit


    Example:
    Device(config-pmap-c)# exit 
     

    Exits QoS policy-map class configuration mode and enters policy-map configuration mode.

     
    Step 11 class class-default


    Example:
    Device(config-pmap)# class class-default 
     
    Applies the policy map settings to the predefined default class.
    • If traffic does not match any of the match criteria in the configured class maps, it is directed to the predefined default class.
     
    Step 12 exit


    Example:
    Device(config)# exit 
     

    Exits QoS policy-map configuration mode and enters global configuration mode.

     
    Step 13 zone security zone-name


    Example:
    Device(config)# zone security inside 
     
    Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.
    • Your configuration must have two security zones to create a zone pair: a source and a destination zone.
    • In a zone pair, you can use the default zone as either the source or the destination zone.
     
    Step 14 exit


    Example:
    Device(config-sec-zone)# exit 
     

    Exits security zone configuration mode and enters global configuration mode.

     
    Step 15 zone-pair security zone-pair-name source source-zone destination destination-zone


    Example:
    Device(config)# zone-pair security inside-outside source inside destination outside 
     
    Creates a pair of security zones and enters security-zone-pair configuration mode.
    • To apply a policy, you must configure a zone pair.
     
    Step 16 service-policy type inspect policy-map-name


    Example:
    Device(config-sec-zone-pair)# service-policy type inspect h.323-policy 
     
    Attaches a firewall policy map to the destination zone pair.
    • If a policy is not configured between a pair of zones, traffic is dropped by default.
     
    Step 17 exit


    Example:
    Device(config-sec-zone-pair)# exit 
     

    Exits security zone-pair configuration mode and enters global configuration mode.

     
    Step 18 interface type number


    Example:
    Device(config)# interface gigabitethernet 0/0/1 
     

    Configures an interface and enters interface configuration mode.

     
    Step 19 zone member security zone-name


    Example:
    Device(config-if)# zone member security inside 
     
    Assigns an interface to a specified security zone.
    • When you make an interface a member of a security zone, all traffic into and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.
     
    Step 20 end


    Example:
    Device(config-if)# end 
     

    Exits interface configuration mode and enters privileged EXEC mode.

     

    Configuration Examples for ALG—H.323 vTCP with High Availability Support for Firewall and NAT

    Example: Configuring ALG—H.323 vTCP with High Availability Support for Firewalls

    Device# configure terminal
    Device(config)# class-map type inspect h.323-class
    Device(config-cmap)# match protocol h323
    Device(config-cmap)# match protocol h323ras
    Device(config-cmap)# exit
    Device(config)# policy-map type inspect h323-policy
    Device(config-pmap)# class type inspect h323
    Device(config-pmap-c)# inspect
    Device(config-pmap-c)# exit
    Device(config-pmap)# class class-default
    Device(config-pmap)# exit
    Device(config)# zone security inside
    Device(config-sec-zone)# exit
    Device(config)# zone security outside
    Device(config-sec-zone)# exit
    Device(config)# zone-pair security inside-outside source inside destination outside
    Device(config-sec-zone-pair)# service-policy type inspect h.323-policy 
    Device(config-sec-zone-pair)# exit
    Device(config)# interface gigabitethernet 0/0/1
    Device(config-if)# zone-member security inside
    Device(config-if)# exit
    Device(config)# interface gigabitethernet 0/1/1
    Device(config-if)# zone-member security outside
    Device(config-if)# end
          

    Additional References for ALG-H.323 vTCP with High Availability Support for Firewall and NAT

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for ALG—H.323 vTCP with High Availability Support for Firewall and NAT

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for ALG—H.323 vTCP with High Availability Support for Firewall and NAT

    Feature Name

    Releases

    Feature Information

    ALG—H.323 vTCP with High Availability Support for Firewall and NAT

    Cisco IOS XE Release 3.7S

    The ALG—H.323 vTCP with High Availability Support for Firewall and NAT feature enhances the H.323 ALG to support a TCP segment that is not a single H.323 message. vTCP supports segment reassembly. Prior to the introduction of this feature, the H.323 ALG processed a TCP segment only if it was a complete H.323 message. If the TCP segment was more than one message, the H.323 ALG ignored the TCP segment and the packet was passed without processing.