The H.323 collection of protocols collectively may use up to two
TCP connection and four to eight UDP connections. FastConnect uses only one TCP
connection, and RAS uses a single UDP connection for registration, admissions,
An H.323 client can initially establish a TCP connection to an
H.323 server using TCP port 1720 to request Q.931 call setup. As part of the
call setup process, the H.323 terminal supplies a port number to the client to
use for an H.245 TCP connection. In environments where H.323 gatekeeper is in
use, the initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine
the H.245 port number. If the H.323 terminals are not using FastConnect, the
ASA dynamically allocates the H.245 connection based on the inspection of the
H.225 messages. The H.225 connection can also be dynamically allocated when
Within each H.245 message, the H.323 endpoints exchange port
numbers that are used for subsequent UDP data streams. H.323 inspection
inspects the H.245 messages to identify these ports and dynamically creates
connections for the media exchange. RTP uses the negotiated port number, while
RTCP uses the next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS.
H.323 inspection uses the following ports.
You must permit traffic for the well-known H.323 port 1719 for
RAS signaling. Additionally, you must permit traffic for the well-known H.323
port 1720 for the H.225 call signaling; however, the H.245 signaling ports are
negotiated between the endpoints in the H.225 signaling. When an H.323
gatekeeper is used, the ASA opens an H.225 connection based on inspection of
the ACF and RCF messages.
After inspecting the H.225 messages, the ASA opens the H.245
channel and then inspects traffic sent over the H.245 channel as well. All
H.245 messages passing through the ASA undergo H.245 application inspection,
which translates embedded IP addresses and opens the media channels negotiated
in H.245 messages.
Each UDP connection with a packet going through H.323 inspection
is marked as an H.323 connection and times out with the H.323 timeout as
configured in the Configuration > Firewall > Advanced > Global
You can enable call setup between H.323 endpoints when the
Gatekeeper is inside the network. The ASA includes options to open pinholes for
calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages.
Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling
endpoint's IP address is unknown and the ASA opens a pinhole through source IP
address/port 0/0. By default, this option is disabled.