Video feed through ASA

jef_rat72 · ‎03-14-2012

I have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.

On the server in the DMZ, you can see the feed, along with any pc you connect to that network.

On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.

I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.

Anyone have experience with something similar?

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

Ethernet0/1 Inside 140.152.25.1 255.255.0.0 CONFIG

Ethernet0/3 DMZ 192.168.12.1 255.255.255.0 CONFIG

access-list inside_nat0_outbound extended permit ip 140.152.0.0 255.255.0.0 192.168.12.0 255.255.255.0

access-list ROKVPN_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any echo

access-list DMZ_access_in extended permit icmp any any echo-reply

access-list DMZ_access_in extended permit icmp any any time-exceeded

access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 140.152.0.0 255.255.0.0

access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.220.0 255.255.255.240

access-group inside_access_out in interface Inside

access-group DMZ_access_in in interface DMZ

Mark^ · ‎03-14-2012

I wonder if this is a NAT issue similar to what I am asking about here:

https://supportforums.cisco.com/message/3585157#3585157

Scenario seems similar in the sense that we both have services on different interfaces that we are trying to access.

Mark

Mark^ · ‎03-14-2012

Actually, I take that back. I'm no expert, but in looking at your screenshot, I wonder if there is a policy in place that is blocking private addresses (192.168.x.x in this case) from traversing the outside interface.

An address like that will be dropped at my outside interface.

Mark

jef_rat72 · ‎03-15-2012

jcarvaja,

yes I have. And I've removed all inspect commands, same issue.

Julio Carvajal · ‎03-14-2012

Have you tried with :

inspect h323 h225

inspect h323 ras

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sguirguis · ‎03-15-2012

Hello,

Can you post " sh service-policy inspect http " ?

Also is "inside_access_out" supposed to be in applied in the "in" direction of the inside interface ?

jef_rat72 · ‎03-15-2012

sh service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http, packet 1510005, drop 0, reset-drop 0

I'm new to this ASA, I've questioned that access list myself, but am not positive why it has been set up the way it has. I've been on the phone with TAC, so far they have not been able to come up with an answer, but still working on it.

jef_rat72 · ‎03-15-2012

Just an FYI the problem was that there is a CSC module on the ASA. In the config was the command "csc fail-open" under a global-glass. This was allowing the return traffic to come back un-inspected, which prompted the "TCP closed by inspection" error.

Once the "csc fail-open" command was removed, cameras worked. I just set up an access-list to block the security traffic from reaching the CSC module.