Inspection Overview - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 14
Inspection for Voice and Video Protocols
UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23
timeout 0:04:10
The show conn state ctiqbe command displays the status of CTIQBE connections. In the output, the
media connections allocated by the CTIQBE inspection engine are denoted by a 'C' flag. The following
is sample output from the show conn state ctiqbe command:
hostname# show conn state ctiqbe
1 in use, 10 most used
hostname# show conn state ctiqbe detail
1 in use, 10 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
H.323 Inspection
The following sections describe the H.323 application inspection.
•
•
•
•
•
•
•
H.323 Inspection Overview
H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and
VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication
Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including
H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the ASA supports multiple calls on the same call signaling channel, a
feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports
on the ASA.
The two major functions of H.323 inspection are as follows:
•
•
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,
M - SMTP data, m - SIP media, O - outbound data, P - inside back connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
H.323 Inspection Overview, page 14-3
How H.323 Works, page 14-4
H.239 Support in H.245 Messages, page 14-5
Limitations for H.323 Inspection, page 14-5
Configure H.323 Inspection, page 14-6
Configuring H.323 and H.225 Timeout Values, page 14-10
Verifying and Monitoring H.323 Inspection, page 14-10
NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323
messages are encoded in PER encoding format, the ASA uses an ASN.1 decoder to decode the
H.323 messages.
Dynamically allocate the negotiated H.245 and RTP/RTCP connections. The H.225 connection can
also be dynamically allocated when using RAS.
Cisco ASA Series Firewall CLI Configuration Guide
H.323 Inspection
14-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
