H.323 RAS Support
H.323 RAS Support
This feature introduces support for H.225 Registration, Admission, and Status (RAS) signaling in zone-based
firewalls. RAS is a signaling protocol that is used between endpoints (such as gateways) and gatekeepers.
The H.225 standard is used by H.323 for call setup. H.255 includes RAS control, which is used to communicate
with the gatekeeper. A RAS signaling channel enables connections between the gatekeeper and H.323
endpoints.
• Finding Feature Information, page 1
• Restrictions for H.323 RAS Support, page 1
• How to Configure H.323 RAS Support, page 2
• Configuration Examples for H.323 RAS Support, page 5
• Additional References for H.323 RAS Support, page 6
• Feature Information for H.323 RAS Support, page 7
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for H.323 RAS Support
H.225 RAS inspection is supported only with zone-based policy firewall inspection.
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
1
H.323 RAS Support
How to Configure H.323 RAS Support
How to Configure H.323 RAS Support
Configuring a Class Map for H.323 RAS Protocol Inspection
Use this task to configure a class map for classifying network traffic.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect [match-any | match-all] class-map-name
4. match access-group {access-group | name access-group-name}
5. match protocol protocol-name [signature]
6. match protocol protocol-name [signature]
7. match class-map class-map-name
8. exit
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Router> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3
class-map type inspect [match-any | match-all]
class-map-name
Creates a Layer 3 or Layer 4 inspect type class map and enters
class-map configuration mode.
Example:
Router(config)# class-map type inspect
match-all c1
Step 4
match access-group {access-group | name
access-group-name}
(Optional) Configures the match criterion for a class map based
on the access control list (ACL) name or number.
Example:
Router(config-cmap)# match access-group 101
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
2
H.323 RAS Support
Creating a Policy Map for H.323 RAS Protocol Inspection
Step 5
Command or Action
Purpose
match protocol protocol-name [signature]
Configures the match criterion for a class map on the basis of a
specified protocol.
Example:
Note
Router(config-cmap)# match protocol h225ras
Step 6
match protocol protocol-name [signature]
Configures the match criterion for a class map on the basis of a
specified protocol.
Example:
Note
Router(config-cmap)# match protocol h323
Step 7
You should specify the h225ras keyword to create a
class-map for H.225 RAS protocol classification. For
a list of supported protocols, use the command-line
interface (CLI) help option (?) on your platform.
match class-map class-map-name
You should specify the h323 keyword to create a
class-map for H.323 protocol classification.
(Optional) Specifies a previously defined class as the match
criterion for a class map.
Example:
Router(config-cmap)# match class-map c1
Step 8
Returns to global configuration mode.
exit
Example:
Router(config-cmap)# exit
Creating a Policy Map for H.323 RAS Protocol Inspection
Use this task to create a policy map for a firewall policy that will be attached to zone pairs.
Note
If you are creating an inspect type policy map, only the following actions are allowed: drop, inspect, police,
and pass.
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
3
H.323 RAS Support
Creating a Policy Map for H.323 RAS Protocol Inspection
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect policy-map-name
4. class type inspect class-name
5. inspect [parameter-map-name]
6. police rate bps burst size
7. drop [log]
8. pass
9. exit
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3
policy-map type inspect policy-map-name
Creates a Layer 3 and Layer 4 inspect type policy map and
enters policy-map configuration mode.
Example:
Router(config)# policy-map type inspect p1
Step 4
class type inspect class-name
Specifies the traffic (class) on which an action is to be
performed and enters policy-map class configuration mode.
Example:
Router(config-pmap)# class type inspect c1
Step 5
inspect
[parameter-map-name]
Enables Cisco IOS stateful packet inspection.
Example:
Router(config-pmap-c)# inspect inspect-params
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
4
H.323 RAS Support
Configuration Examples for H.323 RAS Support
Step 6
Command or Action
Purpose
police rate bps burst size
(Optional) Limits traffic matching within a firewall (inspect)
policy.
Example:
Router(config-pmap-c)# police rate 2000 burst
3000
Step 7
drop [log]
(Optional) Drops packets that are matched with the defined
class.
Example:
Note
Router(config-pmap-c)# drop
Step 8
The actions drop and pass are exclusive, and the
actions inspect and drop are exclusive; that is, you
cannot specify both of them.
(Optional) Allows packets that are matched with the defined
class.
pass
Example:
Router(config-pmap-c)# pass
Step 9
Returns to policy-map configuration mode.
exit
Example:
Router(config-pmap-c)# exit
What to Do Next
After configuring an H.323 RAS protocol firewall policy, you want to attach the policy to a zone pair. For
information on completing this task, see the “Zone-Based Policy Firewall” module.
Configuration Examples for H.323 RAS Support
Example H.323 RAS Protocol Inspection Configuration
The following example shows how to configure an H.323 RAS protocol inspection policy:
class-map type inspect match-any c1
match protocol h323
match protocol h225ras
class-map type inspect match-all c2
match protocol icmp
!
policy-map type inspect p1
class type inspect c1
inspect
class class-default
drop
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
5
H.323 RAS Support
Example H.225 RAS Firewall Policy Configuration
policy-map type inspect p2
class type inspect c2
inspect
class class-default
drop
!
zone security z1
description One-Network zone
zone security z2
description Two-Network zone
zone-pair security zp source z1 destination z2
service-policy type inspect p1
zone-pair security zp-rev source z2 destination z1
service-policy type inspect p2
!
interface FastEthernet1/0
ip address 10.0.0.0 255.255.0.0
zone-member security z1
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 10.0.1.1 255.255.0.0
zone-member security z2
duplex auto
speed auto
Example H.225 RAS Firewall Policy Configuration
The following example shows how to configure the firewall policy to inspect H.225 RAS messages:
interface GigabitEthernet 0/1/5
ip address 172.16.0.0 255.255.0.0
zone-member security private
no shut
!
interface GigabitEthernet 0/1/6
ip address 192.168.0.0 255.255.0.0
zone-member security internet
no shut
!
zone security private
zone security internet
!
class-map type inspect match-any internet-traffic-class
match protocol h225ras
match protocol h323
!
policy-map type inspect private-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
!
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
Additional References for H.323 RAS Support
Related Documents
Related Topic
Document Title
Cisco IOS commands
Master Commands List, All Releases
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
6
H.323 RAS Support
Feature Information for H.323 RAS Support
Related Topic
Firewall commands
Document Title
• Security Command Reference: Commands A to C
• Security Command Reference: Commands D to L
• Security Command Reference: Commands M to R
• Security Command Reference: Commands S to Z
Technical Assistance
Description
Link
The Cisco Support and Documentation website
http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Feature Information for H.323 RAS Support
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1: Feature Information for H.323 RAS Support
Feature Name
Releases
Feature Information
H.323 RAS Support
12.4(11)T
H.323 RAS Support feature
introduces support for H.255
Registration, Admission, and Status
(RAS) signaling in zone-based
firewalls.
The following command was
introduced or modified: match
protocol (zone).
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
7
H.323 RAS Support
Feature Information for H.323 RAS Support
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
8
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising