topic Video feed through ASA in Network Security

Video feed through ASA

jef_rat72 — Mon, 11 Mar 2019 22:42:06 GMT

I have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.

On the server in the DMZ, you can see the feed, along with any pc you connect to that network.

On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.

I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.

Anyone have experience with something similar?

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

Ethernet0/1 Inside 140.152.25.1 255.255.0.0 CONFIG

Ethernet0/3 DMZ 192.168.12.1 255.255.255.0 CONFIG

access-list inside_nat0_outbound extended permit ip 140.152.0.0 255.255.0.0 192.168.12.0 255.255.255.0

access-list ROKVPN_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any echo

access-list DMZ_access_in extended permit icmp any any echo-reply

access-list DMZ_access_in extended permit icmp any any time-exceeded

access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 140.152.0.0 255.255.0.0

access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.220.0 255.255.255.240

access-group inside_access_out in interface Inside

access-group DMZ_access_in in interface DMZ

Video feed through ASA

Mark^ — Wed, 14 Mar 2012 20:00:34 GMT

I wonder if this is a NAT issue similar to what I am asking about here:

https://supportforums.cisco.com/message/3585157#3585157

Scenario seems similar in the sense that we both have services on different interfaces that we are trying to access.

Video feed through ASA

Mark^ — Wed, 14 Mar 2012 20:04:49 GMT

Actually, I take that back. I'm no expert, but in looking at your screenshot, I wonder if there is a policy in place that is blocking private addresses (192.168.x.x in this case) from traversing the outside interface.

An address like that will be dropped at my outside interface.

Video feed through ASA

Julio Carvajal — Thu, 15 Mar 2012 06:29:17 GMT

Have you tried with :

inspect h323 h225

inspect h323 ras

Video feed through ASA

sguirguis — Thu, 15 Mar 2012 12:46:43 GMT

Hello,

Can you post " sh service-policy inspect http " ?

Also is "inside_access_out" supposed to be in applied in the "in" direction of the inside interface ?

Video feed through ASA

jef_rat72 — Thu, 15 Mar 2012 14:50:50 GMT

sh service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http, packet 1510005, drop 0, reset-drop 0

I'm new to this ASA, I've questioned that access list myself, but am not positive why it has been set up the way it has. I've been on the phone with TAC, so far they have not been able to come up with an answer, but still working on it.

Video feed through ASA

jef_rat72 — Thu, 15 Mar 2012 14:51:41 GMT

jcarvaja,

yes I have. And I've removed all inspect commands, same issue.

Re: Video feed through ASA

jef_rat72 — Thu, 15 Mar 2012 17:14:32 GMT

Just an FYI the problem was that there is a CSC module on the ASA. In the config was the command "csc fail-open" under a global-glass. This was allowing the return traffic to come back un-inspected, which prompted the "TCP closed by inspection" error.

Once the "csc fail-open" command was removed, cameras worked. I just set up an access-list to block the security traffic from reaching the CSC module.