Table Of Contents

Cisco IOS Firewall — H.323 V3/V4 Support

Finding Feature Information

Contents

Prerequisites for Cisco IOS Firewall — H.323 V3/V4 Support

Restrictions for Cisco IOS Firewall — H.323 V3/V4 Support

Information About Cisco IOS Firewall — H.323 V3/V4 Support

H.323 and H.225 RAS Implementation

H.323 and H.245 Protocol

H.323 Version 3 and Version 4 Features Supported

Base H.323 ALG Support

Support of Rate Limiting Mechanism

How to Configure Cisco IOS Firewall — H.323 V3/V4 Support

Configuring a Firewall Policy for H.323 Traffic

Configuring a Class Map for H.323 Traffic

Configuring a Policy Map for H.323 Traffic

Configuring a Zone-Pair for H.323 Traffic and Applying an H.323 Policy Map

Configuring Rate Limiting of H.323 Traffic Control Messages

Rate Limiting of H.323 Traffic Messages

Configuring Deep Packet Inspection on a Layer 3 Policy Map

Configuration Examples for Cisco IOS Firewall — H.323 V3/V4 Support

Configuring a Voice Policy to Inspect H.323 Annex E Packets: Example

Configuring a H.323 Class-Map to Match Specific Messages: Example

Configuring a Voice Policy to Inspect H.323 Annex G Packets: Example

Configuring a Voice Policy to Limit Call Attempt Rate: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support

Cisco IOS Firewall — H.323 V3/V4 Support

---

First Published: July 11, 2008

Last Updated: June 30, 2009

The H.323 V3/V4 support feature provides Cisco IOS Firewall with support for the H.323 Voice over IP (VoIP) Version 3 and Version 4 protocols. With Version 3 and Version 4 support, features like call signaling (H.225) over User Datagram Protocol (UDP), multiple call signaling over a single TCP connection, T.38 Fax over TCP, and address resolution using border elements are supported. Support for a rate-limiting mechanism to monitor call attempt rate and call aggregation is also introduced and can be enabled.

H.323 is a multiprotocol and multichannel suite. Channel negotiation parameters are embedded inside encoded H.323 control messages. The Base H.323 Application Layer Gateway (ALG) Support feature provides support in Cisco IOS Firewall environments to process the H.323 control messages.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for Cisco IOS Firewall — H.323 V3/V4 Support

•Restrictions for Cisco IOS Firewall — H.323 V3/V4 Support

•Information About Cisco IOS Firewall — H.323 V3/V4 Support

•How to Configure Cisco IOS Firewall — H.323 V3/V4 Support

•Configuration Examples for Cisco IOS Firewall — H.323 V3/V4 Support

•Additional References

•Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support

Prerequisites for Cisco IOS Firewall — H.323 V3/V4 Support

•You should be familiar with the concepts of the H.323 protocol. For information on the H.323 protocol, see the related documents and standards listed in the "Additional References" section.

Restrictions for Cisco IOS Firewall — H.323 V3/V4 Support

General

•Inspection of H.323 signaling over secure (encrypted) channel is not supported.

ASR 1000 Series Routers

•Support is provided for gateway terminals using the H.323v4 with H.225v4 and H.245v7 protocols only.

•Backward compatibility is provided for H.323v2 messages only. H.323v1 messages are ignored.

•Multipoint conferencing, managed by the Multipoint Control Unit (MCU), is not supported.

•The T.120 protocol is not supported.

•Cisco IOS Firewall support is limited to H.323 Direct Call Signaling and H.225 RAS Call Signaling only.

Information About Cisco IOS Firewall — H.323 V3/V4 Support

To understand Cisco IOS Firewall H.323 Versions 3 and 4 support and perform the tasks defined in this module, you should understand the following concepts:

•H.323 and H.225 RAS Implementation

•H.323 and H.245 Protocol

•H.323 Version 3 and Version 4 Features Supported

•Base H.323 ALG Support

•Support of Rate Limiting Mechanism

H.323 and H.225 RAS Implementation

H.225 Registration, Admission, and Status (RAS) signaling in Cisco IOS firewalls is a signaling protocol that is used between endpoints (such as gateways) and gatekeepers. The H.225 standard is used by H.323 for call setup. H.225 includes RAS control, which is used to communicate with the gatekeeper. A RAS signaling channel enables connections between the gatekeeper and H.323 endpoints.

H.323 and H.245 Protocol

During the call setup between H.323 terminals, the following protocols are used:

•H.225 Call Signaling

•H.245 Call Control

Both protocol messages contain embedded IP addresses and ports. Any message passing through a router running Cisco IOS Firewall must be decoded, inspected, and encoded back to the packet.

In order for an H.323 call to take place, an H.225 connection on TCP port 1720 needs to be opened. When the H.225 connection is opened, the H.245 session is initiated and established. This connection can take place on a separate channel from the H.225 or it can be done using H.245 tunneling on the same H.225 channel whereby the H.245 messages are embedded in the H.225 messages and set on the previously established H.225 channel.

If the H.245 tunneled message is not understood the Cisco  IOS Firewall cannot translate the message, which causes a failure in media traffic. H.245 FastConnect procedures will not help because FastConnect is terminated as soon as an H.245 tunneled message is sent.

H.323 Version 3 and Version 4 Features Supported

Table 1 lists the H.323 Version 3 and Version 4 features supported by Cisco IOS Firewall. For information on the H.323 standard, see "Standards" section.

---

Note On the ASR 1000 series routers Cisco IOS Firewall support is limited to H.323 Direct Call Signaling and H.225 RAS Call Signaling only.

---

Table 1 H.323 Standards Features Supported By Cisco IOS Firewall 

Standard	Features Supported by Cisco IOS firewall
H.323 Version 3	•Caller ID •Annex E—Protocol for Multiplexed Call Signaling Transport •Annex G—Communication Between Administrative Domains •Generic information transport •Maintaining and reusing connections using call signaling channel •Supplementary services (call hold, call park and call pickup, message waiting indication, and call waiting)
H.323 Version 4	•Additive registrations •Alternate gatekeepers •Endpoint capacity •Bandwidth management •Usage information reporting •Generic extensibility framework •Indicating desired protocols •Call status reporting •Enhancements to Annex D (Real-Time Fax) •QoS support for H.323 enhancements •Dual Tone Multifrequency (DTMF) digit transmission using Real-Time Protocol (RTP)

Base H.323 ALG Support

The Base H.323 ALG Support feature provides support for ALGs to perform protocol specific issues such as processing embedded IP address and port numbers and extracting connection and session information from control channels and sessions.

Encoded channel-negotiation parameters are embedded in H.323 control messages. In Cisco IOS Firewall environments, the system must intercept these messages and invoke the H.323 ALG to process the messages.

The H.323 ALG performs the following tasks to process the messages:

•Intercepts the H.323 control messages on the H.225.0 TCP port 1720 and on the dynamically negotiated H.245 TCP port.

•Decodes the intercepted control messages.

•Parses the decoded control messages, identifies the embedded IP address and port-number pairs and builds action info tokens based on the IP address and port-number pairs.

•Sends the action info tokens to the Cisco IOS Firewall for processing.

The Cisco IOS Firewall performs the actions indicated by the action info tokens. The actions performed include session and door entry lookup, creation, and deletion, or address and port translation. When the Cisco IOS Firewall completes the action, it fills the action-result field in the action-info token, with the translated IP address and port number, or with an action failure indicator. Cisco IOS Firewall then adds a flag to indicate if the packet should be dropped or forwarded. Finally, it returns the action info token to the H.323 ALG.

•Receives the modified action info token from the Cisco IOS Firewall and either drops or forwards the packet based on information in the action info token.

Table 2 lists the H.323 control messages processed by the Base H.323 ALG Support feature. For more information on the H.323 standard, see the "Standards" section.

Table 2 H.323 Control Messages Processed by Base H.323 ALG Support

Protocol	Messages
H.225.0 Call Signalling	•Setup •Alert •Call proceed •Connect •Facility •Progress •Empty •ReleaseComplete •SetupAcknowlege
H.245 Media Control Note If tunnelling mode is enabled H.245 messages may be embedded within H.225.0 messages	•OpenLogicalChannel •OpenLogicalAck •CloseLogicalChannel •CloseLogicalAck

Support of Rate Limiting Mechanism

In addition to supporting Version 3 and Version 4 of the H.323 protocol, support is introduced for a rate-limiting mechanism to monitor call attempt rate and call aggregation. Rate limiting is more important for voice applications where gateways and gatekeepers are set up in less secure arrangements such as a Demilitarized Zone (DMZ). A DMZ can be vulnerable to attack from the Internet.

How to Configure Cisco IOS Firewall — H.323 V3/V4 Support

This section contains the following configuration examples:

•Configuring a Firewall Policy for H.323 Traffic

•Configuring a Zone-Pair for H.323 Traffic and Applying an H.323 Policy Map

•Configuring Rate Limiting of H.323 Traffic Control Messages

•Configuring Deep Packet Inspection on a Layer 3 Policy Map

Configuring a Firewall Policy for H.323 Traffic

Perform the following tasks to configure a firewall policy for H.323 traffic:

•Configuring a Class Map for H.323 Traffic

•Configuring a Policy Map for H.323 Traffic

Configuring a Class Map for H.323 Traffic

Perform these steps to define the class-map that describe the H.323 traffic that is to be permitted between zones.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type inspect [match any | match all] class-map-name

4. match protocol protocol_name [parameter-map] [signature]

5. match protocol h225ras

6. match protocol h323-annexe

7. match protocol h323-nxg

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type inspect [match-any | match-all] class-map-name Example: Router (config)# class-map type inspect match-any h323-traffic-class	Creates a Layer 3 and Layer 4 (Top Level) inspect type class map and enters class-map configuration mode.
Step 4	match protocol protocol-name [parameter-map] [signature] Example: Router(config-cmap)# match protocol h323	Configures the match criterion for a class map on the basis of the specified protocol.
Step 5	match protocol h225ras Example: Router(config-cmap)# match protocol h225ras	Configures the match criterion for a class map on the basis of a specified protocol. Note You should specify the h225ras keyword to create a class-map for H.225 RAS protocol classification. For a list of supported protocols, use the command-line interface (CLI) help option (?) on your platform.
Step 6	match protocol h323-annexe Example: Router(config-cmap)# match protocol h323-annexe	Enables the inspection of H.323 Protocol Annex E traffic.
Step 7	match protocol h323-nxg Example: Router(config-cmap)# match protocol h323-nxg	Enables the inspection of H.323 Protocol Annex G traffic.

Configuring a Policy Map for H.323 Traffic

Use this task to create a policy map for H.323 traffic.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type inspect policy-map-name

4. class type inspect class-map-name

5. inspect [parameter-map-name]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type inspect policy-map-name Example: Router (config)# policy-map type inspect h323-policy	Creates a Layer 3 or Layer inspect type policy map.
Step 4	class type inspect class-map-name Example: Router (config)# class type inspect h323-traffic-class	Specifies the traffic (class) on which an action is to be performed. Note The class-map-name must match the appropriate class map name specified via the class-map type inspect command.
Step 5	inspect [parameter-map-name] Example: Router (config)# inspect	Enables Cisco IOS stateful packet inspection. Note The actions drop or allow may also be used instead of the inspect command here.

Configuring a Zone-Pair for H.323 Traffic and Applying an H.323 Policy Map

Use this task to configure a zone-pair for H.323 traffic and to apply an H.323 policy map to the traffic.

SUMMARY STEPS

1. enable

2. configure terminal

3. zone-pair security zone-pair-name {source source-zone-name | self} destination [self | destination-zone-name]

4. service-policy type inspect policy-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	zone-pair security zone-pair-name {source source-zone-name | self} destination [self | destination-zone-name] Example: Router (config)# zone-pair security in-out source inside destination outside	Creates a zone-pair and declares the names of the routers from which traffic is originating (source) and to which traffic is bound (destination).
Step 4	service-policy type inspect policy-map-name Example: Router (config)# service-policy type inspect h323-policy	Attaches a firewall policy map to a zone-pair.

Configuring Rate Limiting of H.323 Traffic Control Messages

Use this task to configure a rate limit on H.323 traffic control messages.

Rate Limiting of H.323 Traffic Messages

Rate limiting of H.323 traffic control messages is based on actions on H.323 class maps. The messages that are to be rate limited are specified through match message statements within the class map. The rate-limit threshold value is specified by a rate limit command, as an action on the H.323 class map. The rate limit command limits the message attempt rate; it limits the number of H.323 messages being sent per second to and from an end point. Rate Limiting can be used to control call attempt rate.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type inspect protocol name [match-any | match-all] class-map-name

4. match message message-name

5. policy-map type inspect protocol-name policy-map-name

6. class type inspect protocol-name class-map-name

7. rate-limit limit-number

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type inspect protocol-name [match-any | match-all] class-map-name Example: Router (config)# class-map type inspect h323 match-any h323-ratelimit-class	Creates a Layer 7 (application-specific) inspect type class map.
Step 4	match message message-name Example: Router (config)# match message setup	Configure the match criterion for a class map on the basis of H.323 protocol messages.
Step 5	policy-map type inspect protocol-name policy-map-name Example: Router (config)# policy-map type inspect h323 h323-ratelimit-policy	Creates a Layer 7 inspect type policy map.
Step 6	class type inspect protocol-name class-map-name Example: Router (config)# class type inspect h323 h323-ratelimit-class	Specifies the Layer 7 traffic (class) on which an action is to be performed. Note The class-map-name must match the appropriate class map name specified via the class-map type inspect command.
Step 7	rate-limit limit-number Example: Router (config)# rate limit 1000	Limits the number of messages that strike the Cisco IOS firewall every second.

Configuring Deep Packet Inspection on a Layer 3 Policy Map

Use this task to configure deep packet inspection on a Layer 3 policy map.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type inspect policy-map-name

4. class type inspect class-map-name

5. service-policy protocol-name policy-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type inspect policy-map-name Example: Router (config)# policy-map type inspect h323-policy	Creates a Layer 3 and Layer 4 inspect type policy map.
Step 4	class type inspect class-map-name Example: Router# (config)# class type inspect h323-traffic-class	Specifies the traffic (class) on which an action is to be performed.
Step 5	service-policy protocol-name policy-map-name Example: Router (config)# service-policy h323 h323-ratelimit-policy	Attaches a Layer 7 policy map to a top-level policy map.

Configuration Examples for Cisco IOS Firewall — H.323 V3/V4 Support

This section contains the following configuration examples:

•Configuring a Voice Policy to Inspect H.323 Annex E Packets: Example

•Configuring a H.323 Class-Map to Match Specific Messages: Example

•Configuring a Voice Policy to Inspect H.323 Annex G Packets: Example

•Configuring a Voice Policy to Limit Call Attempt Rate: Example

Configuring a Voice Policy to Inspect H.323 Annex E Packets: Example

The following example shows how to configure a voice policy to inspect the H.323 protocol Annex E packets for the "my-voice-class" class map:

class-map type inspect match-all my-voice-class

 match protocol h323-annexe

Configuring a H.323 Class-Map to Match Specific Messages: Example

The following example shows how to configure an H.323 specific class-map to match H.225 SETUP or Release-Complete Messages only:

class-map type inspect h323 match-any my_h323_rt_msgs

 match message setup

 match message release-complete

Configuring a Voice Policy to Inspect H.323 Annex G Packets: Example

The following example shows how to configure a voice policy to inspect the H.323 protocol Annex E packets for the "my-voice-class" class map:

class-map type inspect match-all my-voice-class

 match protocol h323-nxg

Configuring a Voice Policy to Limit Call Attempt Rate: Example

Configure a voice policy to limit the call attempt rate to 16 calls per second for the calls terminated at 192.168.2.1.

access-list 102 permit ip any host 192.0.2.115 

!

class-map type inspect match-all my_voice_class

 match protocol h323

 match access-group 102

!

class-map type inspect h323 match-any my_h323_rt_msgs

 match message setup

 policy-map type inspect h323 my_h323_policy

!

class type inspect h323 my_h323_rt_msgs

 rate-limit 16

!

policy-map type inspect my_voice_policy

 class type inspect my_voice_class

 inspect

 service-policy h323 my_h323_policy

!

Additional References

The following sections provide references related to the Cisco IOS Firewall — H.323 V3/V4 Support feature.

Related Documents

Related Topic	Document Title
Overview of the H.323 Standard	"Information about H.323" in H.323 Overview
Description of H.323 and RAS support in Cisco IOS firewall	H.323 RAS Support in Cisco IOS Firewall
Overview of class maps and policy maps for zone-based policy firewalls	"Class Maps and Policy Maps for Zone-Based Policy Firewalls" in the Zone-Based Policy Firewall
Description of how to configure a zone-based policy firewall	"How to Configure Zone-Based Policy Firewall" in the Zone-Based Policy Firewall, Cisco IOS Release 12.4(11)T
Cisco IOS security commands	Cisco IOS Security Command Reference

Standards

Standard	Title
ITU-T H.225.0	Call signalling protocols and media stream packetization for packet-based multimedia communication systems
ITU-T H.245	Control protocol for multimedia communication
ITU-T H.323 (H.323 Version 4 and earlier)	Packet-based multimedia communications systems
ITU-T H.450	Supplementary services for multimedia

MIBs

MIB	MIBs Link
No new or modified MIBs are supported.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support

Table 3 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.4(20)T or Cisco IOS XE Release 2.1 or a later release appear in the table.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 3 Feature Information for Cisco IOS Firewall - H.323 V3/V4 Support 

Feature Name	Releases	Feature Information
Cisco IOS Firewall — H.323 V3/V4 Support	12.4(20)T	This feature introduces support for a range of H.323 Version 3 and Version 4 features and support for a rate-limiting mechanism to monitor call attempt rate and call aggregation. The following commands were introduced or modified: class-map type inspect, class type inspect, match message, match protocol h323-annexe, match protocol h323-nxg, match protocol (zone), policy-map type inspect, rate-limit (firewall), service-policy (policy-map), service-policy type inspect
Cisco IOS Firewall — Base H.323 ALG Support	Cisco IOS XE Release 2.1 Cisco IOS XE Release 2.4	In Cisco IOS XE Release 2.1, this feature was implemented on the Cisco ASR 1000 series routers. In Cisco IOS XE Release 2.4, this feature was modified to include H.323 RAS support.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2008-2009 Cisco Systems, Inc. All rights reserved.