Filter
Top Products
Copyright © 2001 Cisco Systems, Inc. Page 8 of 11
Breaking down the PIX configuration
Fixup protocol Command
The first thing that we will look at in the PIX configuration is the H.323 Fixup Protocol.
The H.323 fixup on PIX enables users to allow H.323 traffic to pass though the PIX.
The two major functions of the fixup are to:
1. NAT the necessary embedded IPv4 addresses in the H.225 and H.245 signaling
channels. Since H.323 messages are encoded in PER encoding format, PIX uses an
ASN.1 decoder to decode the H.323 messages.
2. Dynamically allocate the negotiated H245 and RTP/RTCP messages. The PIX
administrator must open a conduit for the well-known H.323 port 1720 for the H.225 call
signaling, however, he/she doesn't know on what ports the H.245 signaling will take
place since the H.245 signaling channel is negotiated between the endpoints in the H.225
signaling. The PIX will dynamically allocate the H.245 channel after inspecting the
H.225 messages and then "hookup" the H.245 channel to be fixed up as well. That
means whatever H.245 messages pass thru the PIX, the PIX will pass it thru the H.245
fixup, NATing embedded IP addresses and opening the negotiated media channels.
The H.323 ITU standard requires that the H.225 and H.245 messages be preceded by a
TPKT header to define the length of the message since it is passed on the reliable
connection. Since the TPKT header does not necessarily need to be sent in the same TCP
packet as the H.225/H.245 message, PIX must remember the TPKT length in order to
process/decode the messages properly. PIX keeps a data structure for each connection,
and that data structure contains the TPKT length for the next expected message.
If the PIX needs to NAT any IP addresses, then it will have to change the checksum, the
UUIE (user-user information element) length, and the TPKT, IF included with the
H225/H245 message.
Each connection with a packet going thru the H.323 fixup will be marked as an H.323
connection and will timeout with the H.323 timeout as configured by the user via the
"timeout" command.
Static command
The static command creates a permanent mapping (called a static translation slot or
"xlate") between a local IP address and a global IP address. Use the static and access-list
commands when you are accessing an interface of a higher security level from an
interface of a lower security level; for example, when accessing the inside from a
perimeter or the outside interface. The command syntax for this command is as follows: