cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
1
Replies

PIX support for H.323 VOIP (Dynamic Port Opening)

dave-ng
Level 1
Level 1

Can PIX support dynamic port opening for H.323 traffic? Traditional firewall open up all the high port for H.323 traffic.

1 Reply 1

harishtandon23
Level 1
Level 1

Hello Dave,

The answer is yes, please refer to the following information :

Technical Background

H.323 inspection supports static NAT or dynamic NAT. H.323 RAS is configurable using the fixup command with PIX Firewall Version 6.2 or higher. PAT support for H.323 is introduced with PIX Firewall Version 6.2.

The H.323 collection of protocols collectively may use up to two TCP connection and four to six UDP connections. FastConnect uses only one TCP connection, and RAS uses a single UDP connection for registration, admissions, and status.

An H.323 client may initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP.

H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 terminals are not using FastConnect, the PIX Firewall dynamically allocates the H.245 connection based on the inspection of the H.225 messages.

Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically creates connections

For more details, please try the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1079378

If you have any questions, please feel free to contact me.

Thanks & Regards,

Harish Tandon

harishtandon23@gmail.com

Review Cisco Networking for a $25 gift card