i need some advice/help with my pix 515 firewall runnig Code 6.x. We are trying to stream our radio station both internally and externally. our internal setup works fine, but we are having an issue getting RTSP working through our PIX.
our whole network is cisco with a 4507 core switch and 35xx on the edges. our streaming server already has a 1 to 1 nat on our pix for some port 80 stuff etc. i did find this post on a site and needed a little guidance. our streaming server is on a vlan called vlan 30 and has an internal address of 172.16.30.x which nats to our public on the pix. here is the post:
**OK, I got it working -- thanks to you're ideas!!!! It is also a very clean
solution opening up nothing except RTSP in the firewall.
Here is what I did:
1. Assigned a public IP address to the QTSS Server's (it also still has the
private IP address)
2. Disabled NAT'ing of the IP address. For example if you assign a Public
IP address of 18.104.22.168 with a /24 (255.255.255.0) subnet mask (obviously this
is just a made-up address), you would enter the following:
Pix# access-list 300 permit ip 22.214.171.124 255.25
Pix# nat (inside) 0 access-list 300
NOTE: if you are already using this nat command and refering to an existing
access-list, you should add the access-list entry to the already existing
access-list # -- as you can only reference 1 access list in the nat command.
3. add the following static to your pix:
pix # static (inside,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.255
4. Enable port 554 to pass through the firewall to the host. You do this
by adding a conduit command or a access-list/access-group pair of commands.
Pix # conduit permit tcp host 184.108.40.206 eq 554 any
NOTE1: !!!! Though all the documentation I have refers to UDP port 554 as
the port that needs to be opened through the firewall, UDP DID NOT WORK.
Note the conduit above uses "tcp" and it worked PERFECTLY.
NOTE2: I also have the following fixup command in the config.
fixup protocol rtsp 554
I added the conduit permit tcp and removed the fixup protocol rtsp 554 and
everything still worked beautifully. However, since I am not 100% sure of
all the things the fixup rtsp is doing for me, I'll probably add that back
in. However, when I migrated to 6.2 PIX code, I had to remove the fixup for
smtp as it was preventing my users from authenticating when sending email
from the internet using username/pwd authentication (to prevent relaying).
Removed the fixup and it worked great.**
now with this post do i remove the following nat line:
static (inside,outside) xx.xxx.xx.xxxx 172.16.30.224 netmask 255.255.255.255 0 0
and the access list that opens port 80 for the web services on there. it is a windows 2003 server so do i leave the machine port on vlan 30 and add the public ip to the box or do i now trunlk the port to allow the public and private ip? confused a little.
also is that nat command from the post valid? i need some guidance as to what exactly to do. i origianlly kept the 1-1 nat and added rtsp fixup then added another access list to allow rtsp but that didnt work.
thanks for the help, i appreciate it..