RTSP thru a NATing Pix..

Unanswered Question


i need some advice/help with my pix 515 firewall runnig Code 6.x. We are trying to stream our radio station both internally and externally. our internal setup works fine, but we are having an issue getting RTSP working through our PIX.

our whole network is cisco with a 4507 core switch and 35xx on the edges. our streaming server already has a 1 to 1 nat on our pix for some port 80 stuff etc. i did find this post on a site and needed a little guidance. our streaming server is on a vlan called vlan 30 and has an internal address of 172.16.30.x which nats to our public on the pix. here is the post:

**OK, I got it working -- thanks to you're ideas!!!! It is also a very clean

solution opening up nothing except RTSP in the firewall.

Here is what I did:

1. Assigned a public IP address to the QTSS Server's (it also still has the

private IP address)

2. Disabled NAT'ing of the IP address. For example if you assign a Public

IP address of with a /24 ( subnet mask (obviously this

is just a made-up address), you would enter the following:

Pix# access-list 300 permit ip 255.25

Pix# nat (inside) 0 access-list 300

NOTE: if you are already using this nat command and refering to an existing

access-list, you should add the access-list entry to the already existing

access-list # -- as you can only reference 1 access list in the nat command.

3. add the following static to your pix:

pix # static (inside,outside) netmask

4. Enable port 554 to pass through the firewall to the host. You do this

by adding a conduit command or a access-list/access-group pair of commands.

Conduit Example:

Pix # conduit permit tcp host eq 554 any

NOTE1: !!!! Though all the documentation I have refers to UDP port 554 as

the port that needs to be opened through the firewall, UDP DID NOT WORK.

Note the conduit above uses "tcp" and it worked PERFECTLY.

NOTE2: I also have the following fixup command in the config.

fixup protocol rtsp 554

I added the conduit permit tcp and removed the fixup protocol rtsp 554 and

everything still worked beautifully. However, since I am not 100% sure of

all the things the fixup rtsp is doing for me, I'll probably add that back

in. However, when I migrated to 6.2 PIX code, I had to remove the fixup for

smtp as it was preventing my users from authenticating when sending email

from the internet using username/pwd authentication (to prevent relaying).

Removed the fixup and it worked great.**

now with this post do i remove the following nat line:

static (inside,outside) xx.xxx.xx.xxxx netmask 0 0

and the access list that opens port 80 for the web services on there. it is a windows 2003 server so do i leave the machine port on vlan 30 and add the public ip to the box or do i now trunlk the port to allow the public and private ip? confused a little.

also is that nat command from the post valid? i need some guidance as to what exactly to do. i origianlly kept the 1-1 nat and added rtsp fixup then added another access list to allow rtsp but that didnt work.

thanks for the help, i appreciate it..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion