H.323 Inspection Engine; Configuring The H.323 Inspection Engine - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 13
Configuring Application Protocol Inspection
Note
•
•
H.323 Inspection Engine
H.323 H.225 enabled by default for TCP port 1720
H.323 RAS enabled by default for UDP ports 1718-1719
The fixup protocol h323 command provides support for H.323-compliant endpoints. The FWSM
supports H.323 Version 2, 3, and 4.
H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for
multimedia conferences over LANs. H.323 supports VoIP gateways and VoIP gatekeepers.
This section includes the following topics:
•
•
•
•
Configuring the H.323 Inspection Engine
To configure the H.323 inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol h323 {h225 | ras} [ port [- port ]]
You can set the inspection engines for H.232 and RAS (h225 and ras) separately. The default port for
h225 is 1720 (TCP), and the default ports for ras are 1718-1719 (UDP).
OL-6392-01
Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP
–
connection is denied if a PASV reply command is sent from the client. This prevents the security
hole when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."
–
TCP stream editing.
Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than
–
1024. As port numbers in the range from 1 to 1024 are reserved for well-known connections, if
the negotiated port falls in this range, then the TCP connection is freed.
–
Command pipelining—The number of characters present after the port numbers in the PORT
and PASV reply command is cross checked with a constant value of 8. If it is more than 8, then
the TCP connection is closed.
The use of the strict option may break FTP clients that do not comply with the RFC standards.
Generates an audit trail—The FTP inspection engine generates the following system messages:
–
System message 303002 is generated for each file that is retrieved or uploaded.
System message 201005 is generated if the secondary dynamic channel preparation failed due
–
to memory shortage.
Translates embedded IP addresses—In conjunction with NAT, the FTP inspection engine translates
the IP address within the application payload. This is described in detail in RFC 959.
Configuring the H.323 Inspection Engine, page 13-7
Multiple Calls on One Call Signalling Connection, page 13-8
Viewing Connection Status, page 13-8
Technical Background, page 13-8
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Detailed Information About Inspection Engines
13-7
Advertisement
Table of Contents
Troubleshooting
