Cisco IOS and NX-OS Software

Table Of Contents

Cisco IOS Firewall — H.323 V3/V4 Support

Contents

Prerequisites for Cisco IOS Firewall — H.323 V3/V4 Support

Restrictions for Cisco IOS Firewall — H.323 V3/V4 Support

Information About Cisco IOS Firewall — H.323 V3/V4 Support

H.323 and H.225 RAS Implementation

H.323 and H.245 Protocol

H.323 Version 3 and Version 4 Features Supported

Support of Rate Limiting Mechanism

How to Configure Cisco IOS Firewall — H.323 V3/V4 Support

Configuring a Firewall Policy for H.323 Traffic

Configuring a Class Map for H.323 Traffic

Configuring a Policy Map for H.323 Traffic

Configuring a Zone-Pair for H.323 Traffic and Applying an H.323 Policy Map

Configuring Rate Limiting of H.323 Traffic Control Messages

Rate Limiting of H.323 Traffic Messages

Configuring Deep Packet Inspection on a Layer 3 Policy Map

Configuration Examples for Cisco IOS Firewall — H.323 V3/V4 Support

Configuring a Voice Policy to Inspect H.323 Annex E Packets: Example

Configuring a H.323 Class-Map to Match Specific Messages: Example

Configuring a Voice Policy to Inspect H.323 Annex G Packets: Example

Configuring a Voice Policy to Limit Call Attempt Rate: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support

Cisco IOS Firewall — H.323 V3/V4 Support

---

First Published: July 11, 2008

Last Updated: July 11, 2008

This feature introduces support for H.323 Voice over IP (VoIP) Version 3 and Version 4 support in Cisco  IOS firewalls. With Version 3 and Version 4 support, features like call signaling (H.225) over User Datagram Protocol (UDP), multiple call signaling over a single TCP connection, T.38 Fax over TCP, and address resolution using border elements are supported. Support for a rate-limiting mechanism to monitor call attempt rate and call aggregation is also introduced and can be enabled.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support" section.

Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for Cisco IOS Firewall — H.323 V3/V4 Support

•Restrictions for Cisco IOS Firewall — H.323 V3/V4 Support

•Information About Cisco IOS Firewall — H.323 V3/V4 Support

•How to Configure Cisco IOS Firewall — H.323 V3/V4 Support

•Configuration Examples for Cisco IOS Firewall — H.323 V3/V4 Support

•Additional References

•Command Reference

•Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support

Prerequisites for Cisco IOS Firewall — H.323 V3/V4 Support

•You should be familiar with the concepts of the H.323 protocol. For information on the H.323 protocol, see the related documents and standards listed in the "Additional References" section.

Restrictions for Cisco IOS Firewall — H.323 V3/V4 Support

•Inspection of H.323 signaling over secure (encrypted) channel is not supported.

Information About Cisco IOS Firewall — H.323 V3/V4 Support

To understand Cisco IOS Firewall H.323 Versions 3 and 4 support and perform the tasks defined in this module, you should understand the following concepts:

•H.323 and H.225 RAS Implementation

•H.323 and H.245 Protocol

•H.323 Version 3 and Version 4 Features Supported

•Support of Rate Limiting Mechanism

H.323 and H.225 RAS Implementation

H.225 Registration, Admission, and Status (RAS) signaling in Cisco IOS firewalls is a signaling protocol that is used between endpoints (such as gateways) and gatekeepers. The H.225 standard is used by H.323 for call setup. H.225 includes RAS control, which is used to communicate with the gatekeeper. A RAS signaling channel enables connections between the gatekeeper and H.323 endpoints.

H.323 and H.245 Protocol

During the call setup between H.323 terminals, the following protocols are used:

•H.225 Call Signaling

•H.245 Call Control

Both protocol messages contain embedded IP addresses and ports. Any message passing through a router running Network Address Translation (NAT) must be decoded, translated, and encoded back to the packet.

In order for an H.323 call to take place, an H.225 connection on TCP port 1720 needs to be opened. When the H.225 connection is opened, the H.245 session is initiated and established. This connection can take place on a separate channel from the H.225 or it can be done using H.245 tunneling on the same H.225 channel whereby the H.245 messages are embedded in the H.225 messages and set on the previously established H.225 channel.

If the H.245 tunneled message is not understood, the media address or port will be untranslated by Cisco  IOS NAT, resulting in failure in media traffic. H.245 FastConnect procedures will not help because FastConnect is terminated as soon as an H.245 tunneled message is sent.

H.323 Version 3 and Version 4 Features Supported

Table 1 lists the H.323 Version 3 and Version 4 features supported by Cisco IOS Firewall. For information on the H.323 standard, see "Standards" section.

Table 1 H.323 Standards Features Supported By Cisco IOS Firewall

Standard	Features Supported by Cisco IOS firewall
H.323 Version 3	•Caller ID •Annex E—Protocol for Multiplexed Call Signaling Transport •Annex G—Communication Between Administrative Domains •Generic information transport •Maintaining and reusing connections using call signaling channel •Supplementary services (call hold, call park and call pickup, message waiting indication, and call waiting)
H.323 Version 4	•Additive registrations •Alternate gatekeepers •Endpoint capacity •Bandwidth management •Usage information reporting •Generic extensibility framework •Indicating desired protocols •Call status reporting •Enhancements to Annex D (Real-Time Fax) •QoS support for H.323 enhancements •Dual Tone Multifrequency (DTMF) digit transmission using Real-Time Protocol (RTP)

Support of Rate Limiting Mechanism

In addition to supporting Version 3 and Version 4 of the H.323 protocol, support is introduced for a rate-limiting mechanism to monitor call attempt rate and call aggregation. Rate limiting is more important for voice applications where gateways and gatekeepers are set up in less secure arrangements such as a Demilitarized Zone (DMZ). A DMZ can be vulnerable to attack from the Internet.

How to Configure Cisco IOS Firewall — H.323 V3/V4 Support

This section contains the following configuration examples:

•Configuring a Firewall Policy for H.323 Traffic

•Configuring a Zone-Pair for H.323 Traffic and Applying an H.323 Policy Map

•Configuring Rate Limiting of H.323 Traffic Control Messages

•Configuring Deep Packet Inspection on a Layer 3 Policy Map

Configuring a Firewall Policy for H.323 Traffic

Perform the following tasks to configure a firewall policy for H.323 traffic:

•Configuring a Class Map for H.323 Traffic

•Configuring a Policy Map for H.323 Traffic

Configuring a Class Map for H.323 Traffic

Perform these steps to define the class-map that describe the H.323 traffic that is to be permitted between zones.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type inspect [match any | match all] class-map-name

4. match protocol protocol_name [parameter-map] [signature]

5. match protocol h323-annexe

6. match protocol h323-nxg

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type inspect [match-any | match-all] class-map-name Example: Router (config)# class-map type inspect match-any h323-traffic-class	Creates a Layer 3 and Layer 4 (Top Level) inspect type class map.
Step 4	match protocol protocol-name [parameter-map] [signature] Example: Router(config)# match protocol h323	Configures the match criterion for a class map on the basis of the specified protocol.
Step 5	match protocol h323-annexe Example: Router(config)# match protocol h323-annexe	Enables the inspection of H.323 Protocol Annex E traffic.
Step 6	match protocol h323-nxg Example: Router(config)# match protocol h323-nxg	Enables the inspection of H.323 Protocol Annex G traffic.

Configuring a Policy Map for H.323 Traffic

Use this task to create a policy map for H.323 traffic.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type inspect policy-map-name

4. class type inspect class-map-name

5. inspect [parameter-map-name]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type inspect policy-map-name Example: Router (config)# policy-map type inspect h323-policy	Creates a Layer 3 or Layer inspect type policy map.
Step 4	class type inspect class-map-name Example: Router (config)# class type inspect h323-trafffic-class	Specifies the traffic (class) on which an action is to be performed. Note The class-map-name must match the appropriate class map name specified via the class-map type inspect command.
Step 5	inspect [parameter-map-name] Example: Router (config)# inspect	Enables Cisco IOS stateful packet inspection. Note The actions drop or allow may also be used instead of the inspect command here.

Configuring a Zone-Pair for H.323 Traffic and Applying an H.323 Policy Map

Use this task to configure a zone-pair for H.323 traffic and to apply an H.323 policy map to the traffic.

SUMMARY STEPS

1. enable

2. configure terminal

3. zone-pair security zone-pair-name {source source-zone-name | self} destination [self | destination-zone-name]

4. service-policy type inspect policy-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	zone-pair security zone-pair-name {source source-zone-name | self} destination [self | destination-zone-name] Example: Router (config)# zone-pair security in-out source inside destination outside	Creates a zone-pair and declares the names of the routers from which traffic is originating (source) and to which traffic is bound (destination).
Step 4	service-policy type inspect policy-map-name Example: Router (config)# service-policy type inspect h323-policy	Attaches a firewall policy map to a zone-pair.

Configuring Rate Limiting of H.323 Traffic Control Messages

Use this task to configure a rate limit on H.323 traffic control messages.

Rate Limiting of H.323 Traffic Messages

Rate limiting of H.323 traffic control messages is based on actions on H.323 class maps. The messages that are to be rate limited are specified through match message statements within the class map. The rate-limit threshold value is specified by a rate limit command, as an action on the H.323 class map. The rate limit command limits the message attempt rate; it limits the number of H.323 messages being sent per second to and from an end point. Rate Limiting can be used to control call attempt rate.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type inspect protocol name [match-any | match-all] class-map-name

4. match message message-name

5. policy-map type inspect protocol-name policy-map-name

6. class type inspect protocol-name class-map-name

7. rate-limit limit-number

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type inspect protocol-name [match-any | match-all] class-map-name Example: Router (config)# class-map type inspect h323 match-any h323-ratelimit-class	Creates a Layer 7 (application-specific) inspect type class map.
Step 4	match message message-name Example: Router (config)# match message setup	Configure the match criterion for a class map on the basis of H.323 protocol messages.
Step 5	policy-map type inspect protocol-name policy-map-name Example: Router (config)# policy-map type inspect h323 h323-ratelimit-policy	Creates a Layer 7 inspect type policy map.
Step 6	class type inspect protocol-name class-map-name Example: Router (config)# class type inspect h323 h323-ratelimit-class	Specifies the Layer 7 traffic (class) on which an action is to be performed. Note The class-map-name must match the appropriate class map name specified via the class-map type inspect command.
Step 7	rate-limit limit-number Example: Router (config)# rate limit 1000	Limits the number of messages that strike the Cisco IOS firewall every second.

Configuring Deep Packet Inspection on a Layer 3 Policy Map

Use this task to configure deep packet inspection on a Layer 3 policy map.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type inspect policy-map-name

4. class type inspect class-map-name

5. service-policy protocol-name policy-map-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type inspect policy-map-name Example: Router (config)# policy-map type inspect h323-policy	Creates a Layer 3 and Layer 4 inspect type policy map.
Step 4	class type inspect class-map-name Example: Router# (config)# class type inspect h323-traffic-class	Specifies the traffic (class) on which an action is to be performed.
Step 5	service-policy protocol-name policy-map-name Example: Router (config)# service-policy h323 h323-ratelimit-policy	Attaches a Layer 7 policy map to a top-level policy map.

Configuration Examples for Cisco IOS Firewall — H.323 V3/V4 Support

This section contains the following configuration examples:

•Configuring a Voice Policy to Inspect H.323 Annex E Packets: Example

•Configuring a H.323 Class-Map to Match Specific Messages: Example

•Configuring a Voice Policy to Inspect H.323 Annex G Packets: Example

•Configuring a Voice Policy to Limit Call Attempt Rate: Example

Configuring a Voice Policy to Inspect H.323 Annex E Packets: Example

The following example shows how to configure a voice policy to inspect the H.323 protocol Annex E packets for the "my-voice-class" class map:

class-map type inspect match-all my-voice-class

 match protocol h323-annexe

Configuring a H.323 Class-Map to Match Specific Messages: Example

The following example shows how to configure an H.323 specific class-map to match H.225 SETUP or Release-Complete Messages only:

class-map type inspect h323 match-any my_h323_rt_msgs

 match message setup

 match message release-complete

Configuring a Voice Policy to Inspect H.323 Annex G Packets: Example

The following example shows how to configure a voice policy to inspect the H.323 protocol Annex E packets for the "my-voice-class" class map:

class-map type inspect match-all my-voice-class

 match protocol h323-nxg

Configuring a Voice Policy to Limit Call Attempt Rate: Example

Configure a voice policy to limit the call attempt rate to 16 calls per second for the calls terminated at 192.168.2.1.

access-list 102 permit ip any host 192.0.2.115 

!

class-map type inspect match-all my_voice_class

 match protocol h323

 match access-group 102

!

class-map type inspect h323 match-any my_h323_rt_msgs

 match message setup

 policy-map type inspect h323 my_h323_policy

!

class type inspect h323 my_h323_rt_msgs

 rate-limit 16

!

policy-map type inspect my_voice_policy

 class type inspect my_voice_class

 inspect

 service-policy h323 my_h323_policy

!

Additional References

The following sections provide references related to the Cisco IOS Firewall — H.323 V3/V4 Support feature.

Related Documents

Related Topic	Document Title
Overview of the H.323 Standard	"Information about H.323" in H.323 Overview, Cisco IOS Release 12.4T
Description of H.323 and RAS support in Cisco IOS firewall	H.323 RAS Support in Cisco IOS Firewall, Cisco IOS Release 12.4(11)T
Overview of class maps and policy maps for zone-based policy firewalls	"Class Maps and Policy Maps for Zone-Based Policy Firewalls" in the Zone-Based Policy Firewall, Cisco IOS Release 12.4(11)T
Description of how to configure a zone-based policy firewall	"How to Configure Zone-Based Policy Firewall" in the Zone-Based Policy Firewall, Cisco IOS Release 12.4(11)T
Cisco IOS security commands	Cisco IOS Security Command Reference

Standards

Standard	Title
ITU-T H.225.0	Call signalling protocols and media stream packetization for packet-based multimedia communication systems
ITU-T H.245	Control protocol for multimedia communication
ITU-T H.323 (H.323 Version 4 and earlier)	Packet-based multimedia communications systems
ITU-T H.450	Supplementary services for multimedia

MIBs

MIB	MIBs Link
No new or modified MIBs are supported.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Command Reference

The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/all_release/all_mcl.html.

•class-map type inspect

•class type inspect

•match message

•match protocol h323-annexe

•match protocol h323-nxg

•match protocol (zone)

•policy-map type inspect

•rate-limit (firewall)

•service-policy (policy-map)

•service-policy type inspect

Feature Information for Cisco IOS Firewall — H.323 V3/V4 Support

Table 2 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 2 Feature Information for Cisco IOS Firewall - H.323 V3/V4 Support 

Feature Name	Releases	Feature Information
Cisco IOS Firewall — H.323 V3/V4 Support	12.4(20)T	This feature introduces support for a range of H.323 Version 3 and Version 4 features and support for a rate-limiting mechanism to monitor call attempt rate and call aggregation. The following commands were introduced or modified: class-map type inspect, class type inspect, match message, match protocol h323-annexe, match protocol h323-nxg, match protocol (zone), policy-map type inspect, rate-limit (firewall), service-policy (policy-map), service-policy type inspect

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2008 Cisco Systems, Inc. All rights reserved.