Cisco Systems EDCS-154011 Issues with Firewalls and H.323, What is the Cisco Secure PIX Firewall?

Page 4

Issues with Firewalls and H.323

What makes H.323 so cumbersome to run through a firewall is its use of multiple data ports for a single call. For an H.323 call to take place it must first open an H.225 connection on TCP port 1720, using Q.931 signaling. After this has taken place, the H.245 management session is established. While this can take place on a separate channel from the H.225 setup it can also be done using H.245 tunneling, which takes the H.245 messages and embeds them in the Q.931 messages in the previously established H.225 channel.

At this point the H.245 session opens dynamically assigned ports for the UDP-based RTP/RTCP video and audio data streams. These ports can range from 1024 to 65535. Since these ports are not known in advance, and since it would defeat the purpose of a firewall to open all these ports, a firewall must be able to “snoop” the H.323 data stream in order to open the additional ports needed for the call. This is also known as stateful inspection.

An additional problem encountered with most firewalls is the use of NAT (see “What is NAT” below for more information). Within H.323, the H.225 and H.245 signaling channels make heavy use of the embedded IP address. An example could be the following: A terminal has a private address of 10.1.1.125, which gets translated to 206.165.202.125 when it tries to place a call to an H.323 terminal with an IP address of 206.165.201.78 on the outside network. The terminal on the outside will still receive the private address within the H.225 signaling stream. Since this is a non-routable address, an attempt to make a connection back will fail. One way to get around this problem is to use an H.323-aware NAT firewall, which can rewrite the addresses in the signaling payload.

What is the Cisco Secure PIX Firewall?

Formerly known as the PIX Firewall, the Cisco Secure PIX Firewall series is the highest- performance, enterprise-class firewall product line within the Cisco firewall family. The integrated hardware/software PIX Firewall series delivers high security without impacting network performance, scaling to meet the entire range of customer requirements.

Copyright © 2001 Cisco Systems, Inc.

Page 4 of 11

Page 3 Page 5
Image 4
Page 3 Page 5
Contents An IP/VC Application Note Table of contents Introduction Issues with Firewalls and H.323 What is the Cisco Secure PIX Firewall?What is NAT? Implementing NAT for use with in-bound H.323 trafficTwo Interface PIX with NAT Diagram Configuration Description Breaking down the PIX configuration Fixup protocol Command Static commandAccess-list command Access-group aclID in interface interfacename Access-list aclout permit tcp any hostAccess-group aclout in interface outside Typical Ports used for H.323 traffic Helpful Links
Top Page Image Contents