RTSP through a Nating PIX

Unanswered Question

Hello,

i need some advice/help with my pix 515 firewall runnig Code 6.x. We are trying to stream our radio station both internally and externally. our internal setup works fine, but we are having an issue getting RTSP working through our PIX.

our whole network is cisco with a 4507 core switch and 35xx on the edges. our streaming server already has a 1 to 1 nat on our pix for some port 80 stuff etc. i did find this post on a site and needed a little guidance. our streaming server is on a vlan called vlan 30 and has an internal address of 172.16.30.x which nats to our public on the pix. here is the post:

**OK, I got it working -- thanks to you're ideas!!!! It is also a very clean

solution opening up nothing except RTSP in the firewall.

Here is what I did:

1. Assigned a public IP address to the QTSS Server's (it also still has the

private IP address)

2. Disabled NAT'ing of the IP address. For example if you assign a Public

IP address of 1.1.1.1 with a /24 (255.255.255.0) subnet mask (obviously this

is just a made-up address), you would enter the following:

Pix# access-list 300 permit ip 1.1.1.1 255.25

Pix# nat (inside) 0 access-list 300

NOTE: if you are already using this nat command and refering to an existing

access-list, you should add the access-list entry to the already existing

access-list # -- as you can only reference 1 access list in the nat command.

3. add the following static to your pix:

pix # static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

4. Enable port 554 to pass through the firewall to the host. You do this

by adding a conduit command or a access-list/access-group pair of commands.

Conduit Example:

Pix # conduit permit tcp host 1.1.1.1 eq 554 any

NOTE1: !!!! Though all the documentation I have refers to UDP port 554 as

the port that needs to be opened through the firewall, UDP DID NOT WORK.

Note the conduit above uses "tcp" and it worked PERFECTLY.

NOTE2: I also have the following fixup command in the config.

fixup protocol rtsp 554

I added the conduit permit tcp and removed the fixup protocol rtsp 554 and

everything still worked beautifully. However, since I am not 100% sure of

all the things the fixup rtsp is doing for me, I'll probably add that back

in. However, when I migrated to 6.2 PIX code, I had to remove the fixup for

smtp as it was preventing my users from authenticating when sending email

from the internet using username/pwd authentication (to prevent relaying).

Removed the fixup and it worked great.**

now with this post do i remove the following nat line:

static (inside,outside) xx.xxx.xx.xxxx 172.16.30.224 netmask 255.255.255.255 0 0

and the access list that opens port 80 for the web services on there. it is a windows 2003 server so do i leave the machine port on vlan 30 and add the public ip to the box or do i now trunlk the port to allow the public and private ip? confused a little.

also is that nat command from the post valid? i need some guidance as to what exactly to do. i origianlly kept the 1-1 nat and added rtsp fixup then added another access list to allow rtsp but that didnt work.

thanks for the help, i appreciate it..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
plwalsh Tue, 02/20/2007 - 09:06

""our streaming server is on a vlan called vlan 30 and has an internal address of 172.16.30.x which nats to our public on the pix.""

The above suggests that the firewall is already set to allow internet hosts start conversations with your streaming server.

I think adding a rule to the ACL that controls traffic inbound from the internet should work:

access-list inbound_ACL permit tcp any gt 1023 host public_ip_address eq 554

Clients connect to TCP port 554 on the streaming server to negotiate the UDP ports that will be used for streaming. The fixup will spot which UDP ports to open on the fly.

plwalsh Wed, 02/21/2007 - 02:34

The network card of the streaming server (which is only connected to VLAN30 I presume) should have the IP address 172.16.30.x. The firewall will translate that private IP address to the public IP address that your ISP has provided your organisation. I am assuming that the firewall already has translation rules (NAT rules) set up which allow internet hosts communicate with the streaming server.

I got it working following the directions from the last poster. the only problem i am having now is it isnt a smotth stream going through the pix. internally it is, but from the outside, it pauses every 3 seconds then continues on. any suggestions for this issue?

thanks!

bandwidth should be fine, we have a ds3 and peak utilization is usually only about 15%.

thanks!

Actions

This Discussion