Preview Tool

Cisco Bug: CSCut16551 - ASA H323 inspect creates wrong pinhole while public IP in H323 message

Last Modified

Feb 12, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.1(2.7) 9.1(4.5)

Description (partial)

H323 inspection doesn't create pinhole on the right interface.
Call cannot be completed and got disconnected.

Problem is with Cisco VCS-E while IPV4 static NAT mode on. This is the mode for firewalls that don't have H323 inspection. Other vendors with same behavior might also be affected.

With this mode inside the H323 message we will have the public IP.
Then ASA creates the pinhole on wrong interface (makes U-turn):
TCP outside outside, idle 0:00:01, bytes 0, flags SaAB
where: our public NATed IP the outside user connecting to - our inside IP NATed to
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.