I have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.
On the server in the DMZ, you can see the feed, along with any pc you connect to that network.
On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.
I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.
Actually, I take that back. I'm no expert, but in looking at your screenshot, I wonder if there is a policy in place that is blocking private addresses (192.168.x.x in this case) from traversing the outside interface.
An address like that will be dropped at my outside interface.
Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: http, packet 1510005, drop 0, reset-drop 0
I'm new to this ASA, I've questioned that access list myself, but am not positive why it has been set up the way it has. I've been on the phone with TAC, so far they have not been able to come up with an answer, but still working on it.
Just an FYI the problem was that there is a CSC module on the ASA. In the config was the command "csc fail-open" under a global-glass. This was allowing the return traffic to come back un-inspected, which prompted the "TCP closed by inspection" error.
Once the "csc fail-open" command was removed, cameras worked. I just set up an access-list to block the security traffic from reaching the CSC module.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :