Filter
Top Products
Copyright © 2001 Cisco Systems, Inc. Page 4 of 11
Issues with Firewalls and H.323
What makes H.323 so cumbersome to run through a firewall is its use of multiple data
ports for a single call. For an H.323 call to take place it must first open an H.225
connection on TCP port 1720, using Q.931 signaling. After this has taken place, the
H.245 management session is established. While this can take place on a separate
channel from the H.225 setup it can also be done using H.245 tunneling, which takes the
H.245 messages and embeds them in the Q.931 messages in the previously established
H.225 channel.
At this point the H.245 session opens dynamically assigned ports for the UDP-based
RTP/RTCP video and audio data streams. These ports can range from 1024 to 65535.
Since these ports are not known in advance, and since it would defeat the purpose of a
firewall to open all these ports, a firewall must be able to “snoop” the H.323 data stream
in order to open the additional ports needed for the call. This is also known as stateful
inspection.
An additional problem encountered with most firewalls is the use of NAT (see “What is
NAT” below for more information). Within H.323, the H.225 and H.245 signaling
channels make heavy use of the embedded IP address. An example could be the
following: A terminal has a private address of 10.1.1.125, which gets translated to
206.165.202.125 when it tries to place a call to an H.323 terminal with an IP address of
206.165.201.78 on the outside network. The terminal on the outside will still receive the
private address within the H.225 signaling stream. Since this is a non-routable address,
an attempt to make a connection back will fail. One way to get around this problem is to
use an H.323-aware NAT firewall, which can rewrite the addresses in the signaling
payload.
What is the Cisco Secure PIX Firewall?
Formerly known as the PIX Firewall, the Cisco Secure PIX Firewall series is the highest-
performance, enterprise-class firewall product line within the Cisco firewall family. The
integrated hardware/software PIX Firewall series delivers high security without
impacting network performance, scaling to meet the entire range of customer
requirements.