Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RTSP Inspection with ASA

I have an ASA (v7.2). I have enabled RTSP inspection with the default policy. I am broadcasting audio only with an Apple system (not sure of the details). The Apple broadcast server resides in my DMZ network. My ASA syslog show public users connecting with RTSP (TCP 554) followed by denied UDP access list messages from the broadcast server to the public client. My understanding of RTSP is port 554 is the control. The control port negotiates a media transfer connection (unicast in this case).

I found the following in Cisco's documentation

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1433203

The security appliance parses Setup response messages with a status code of 200. If the response message is travelling inbound, the server is outside relative to the security appliance and dynamic channels need to be opened for connections coming inbound from the server. If the response message is outbound, then the security appliance does not need to open dynamic channels.

My server is inside relative to the public. The response message would then be travelling outbound. Why doesn't the ASA need to open dynamic channels? Combining the above information, do I really need to create an access list that permits all UDP traffic from the broadcast server? This seems a little insecure.

1 REPLY
Bronze

Re: RTSP Inspection with ASA

The ASA does not support RTSP inspection over UDP.

938
Views
0
Helpful
1
Replies
CreatePlease to create content