Guest

Preview Tool

Cisco Bug: CSCut16551 - ASA H323 inspect creates wrong pinhole while public IP in H323 message

Last Modified

Mar 03, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.1(2.7) 9.1(4.5)

Description (partial)

Symptom:
H323 inspection doesn't create pinhole on the right interface.
Call cannot be completed and got disconnected.

Conditions:
Problem is with Cisco VCS-E while IPV4 static NAT mode on. This is the mode for firewalls that don't have H323 inspection. Other vendors with same behavior might also be affected.

With this mode inside the H323 message we will have the public IP.
Then ASA creates the pinhole on wrong interface (makes U-turn):
TCP outside  1.1.1.1(10.10.10.10):15061 outside  2.2.2.2:16082, idle 0:00:01, bytes 0, flags SaAB
where:
1.1.1.1 our public NATed IP
2.2.2.2 the outside user connecting to 2.2.2.2
10.10.10.10 - our inside IP NATed to 1.1.1.1
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.