Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Video feed through ASA

I have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.

On the server in the DMZ, you can see the feed, along with any pc you connect to that network.

On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.

I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.

Anyone have experience with something similar?

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

Ethernet0/1             Inside                 140.152.25.1   255.255.0.0     CONFIG

Ethernet0/3             DMZ                   192.168.12.1   255.255.255.0   CONFIG

access-list inside_nat0_outbound extended permit ip 140.152.0.0 255.255.0.0 192.168.12.0 255.255.255.0

access-list ROKVPN_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any echo

access-list DMZ_access_in extended permit icmp any any echo-reply

access-list DMZ_access_in extended permit icmp any any time-exceeded

access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 140.152.0.0 255.255.0.0

access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.220.0 255.255.255.240

access-group inside_access_out in interface Inside

access-group DMZ_access_in in interface DMZ

7 REPLIES
New Member

Video feed through ASA

I wonder if this is a NAT issue similar to what I am asking about here:

https://supportforums.cisco.com/message/3585157#3585157

Scenario seems similar in the sense that we both have services on different interfaces that we are trying to access.

New Member

Video feed through ASA

Actually, I take that back.  I'm no expert, but in looking at your screenshot, I wonder if there is a policy in place that is blocking private addresses (192.168.x.x in this case) from traversing the outside interface.

An address like that will be dropped at my outside interface.

New Member

Video feed through ASA

jcarvaja,

yes I have.  And I've removed all inspect commands, same issue.

Video feed through ASA

Have you tried with :

inspect h323 h225

inspect h323 ras

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Video feed through ASA

Hello,

Can you post " sh service-policy inspect http " ?

Also is "inside_access_out" supposed to be in applied in the "in" direction of the inside interface ?

New Member

Video feed through ASA

sh service-policy inspect http

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http, packet 1510005, drop 0, reset-drop 0

I'm new to this ASA, I've questioned that access list myself, but am not positive why it has been set up the way it has.  I've been on the phone with TAC, so far they have not been able to come up with an answer, but still working on it.

New Member

Re: Video feed through ASA

Just an FYI the problem was that there is a CSC module on the ASA.  In the config was the command "csc fail-open" under a global-glass.  This was allowing the return traffic to come back un-inspected, which prompted the "TCP closed by inspection" error.

Once the "csc fail-open" command was removed, cameras worked.  I just set up an access-list to block the security traffic from reaching the CSC module.

328
Views
0
Helpful
7
Replies
CreatePlease to create content