I have an ASA (v7.2). I have enabled RTSP inspection with the default policy. I am broadcasting audio only with an Apple system (not sure of the details). The Apple broadcast server resides in my DMZ network. My ASA syslog show public users connecting with RTSP (TCP 554) followed by denied UDP access list messages from the broadcast server to the public client. My understanding of RTSP is port 554 is the control. The control port negotiates a media transfer connection (unicast in this case).

I found the following in Cisco's documentation

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1433203

The security appliance parses Setup response messages with a status code of 200. If the response message is travelling inbound, the server is outside relative to the security appliance and dynamic channels need to be opened for connections coming inbound from the server. If the response message is outbound, then the security appliance does not need to open dynamic channels.

My server is inside relative to the public. The response message would then be travelling outbound. Why doesn't the ASA need to open dynamic channels? Combining the above information, do I really need to create an access list that permits all UDP traffic from the broadcast server? This seems a little insecure.