topic Re: Setting up device in DMZ (SlingBox) in Network Security

Setting up device in DMZ (SlingBox)

SPERTWCISCO — Mon, 11 Mar 2019 17:39:56 GMT

Hello,

For those who is not familiar with what is SlingBox is, it basically stream a analog or digital video source over TCP/IP. Is a pretty cool device and it will also stream the video over internet. http://ca.slingmedia.com/go/slingbox-prohd

The software client to view the SlingBox has a major issue. It require that the computer and slingbox device located within the same network. Basically, the software client will need to automatically detects the slingbox and there is no way to manually tell the software client where the slingbox is located (say if I place the slingbox in a different network).

Being side that, I try to put my slingbox in the DMZ of my ASA5505 base license. Setup static NAT as follows:

object network NAS1

host 10.2.1.10 <-----------slingbox

object network NAS1

nat (dmz,inside) static 192.168.1.15 <--------my computer

Note: I am using ASA 8.3.

My computer IP is 192.168.1.8 and when I launch the software client, it is unable to detect my slingbox in the DMZ.... Any clue how to get this going? Keep in mind I only have the base license for my ASA5505, so I can't initiate traffic from DMZ to inside and I am not sure if that is a requirement for the slingbox....

And I don't really want to put my slingbox to the inside zone, as slingbox require external internet connection initiated from the outside!

I try getting support from slingbox manufacturer, they have never seen anyone trying to do this, hence, useless...

please help!

here is my config:

: Saved

ASA Version 8.3(1)

hostname xxxxxxxx

enable password xxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

names

interface Vlan200

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan500

no forward interface Vlan800

nameif dmz

security-level 50

ip address 10.2.1.1 255.255.255.0

interface Vlan800

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 200

interface Ethernet0/1

switchport access vlan 500

switchport protected

interface Ethernet0/2

switchport access vlan 500

switchport protected

interface Ethernet0/3

switchport access vlan 800

interface Ethernet0/4

switchport access vlan 800

interface Ethernet0/5

switchport access vlan 800

switchport protected

interface Ethernet0/6

switchport access vlan 800

interface Ethernet0/7

switchport access vlan 500

switchport protected

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone xxxxx

object network NAS1

host 10.2.1.10

object network Internet_Access

subnet 0.0.0.0 0.0.0.0

object network Internet_Access2

subnet 0.0.0.0 0.0.0.0

object-group service SlingBox tcp

port-object eq 5001

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu dmz 1500

mtu inside 1500

ipv6 access-list inside_access_ipv6_in deny ip any any

ipv6 access-list dmz_access_ipv6_in deny ip any any

ipv6 access-list outside_access_ipv6_in deny ip any any

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

object network NAS1

nat (dmz,inside) static 192.168.1.15

object network Internet_Access

nat (inside,outside) dynamic interface

object network Internet_Access2

nat (dmz,outside) dynamic interface

access-group outside_access_in in interface outside

access-group outside_access_ipv6_in in interface outside

access-group dmz_access_in in interface dmz

access-group dmz_access_ipv6_in in interface dmz

access-group inside_access_in in interface inside

access-group inside_access_ipv6_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd auto_config outside

dhcpd address 10.2.1.8-10.2.1.12 dmz

dhcpd dns {ISP DNS1} {ISP DNS2} interface dmz

dhcpd enable dmz

dhcpd address 192.168.1.8-192.168.1.15 inside

dhcpd dns {ISP DNS1} {ISP DNS2} interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username xxxxxx password xxxxxxxxxxxxx encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxx

: end

Re: Setting up device in DMZ (SlingBox)

Jennifer Halim — Mon, 03 May 2010 05:18:34 GMT

I assume you meant to say "sling box NATed ip address" instead of "my computer" on the following:

object network NAS1

host 10.2.1.10 <-----------slingbox

object network NAS1

nat (dmz,inside) static 192.168.1.15 <--------my computer

If the assumption is correct, here is what I believe you are trying to achieve:

Your PC where the slingbox client is on 192.168.1.8.

Slingbox is on DMZ with ip address of 10.2.1.10, and you would like to NAT it to 192.168.1.15 on the inside.

You would also need to configure the following:

object network yourPC

host 192.168.1.8

nat (inside,dmz) static 192.168.1.8

Lastly, if you have access-list on the inside interface, you would need to allow between your PC 192.168.1.8 and 192.168.1.15 (plus make sure that proxy arp on the inside interface is not disabled).

Hope that helps.

Re: Setting up device in DMZ (SlingBox)

SPERTWCISCO — Mon, 03 May 2010 05:30:16 GMT

^^Your assumption is correct.

I have ensure proxy arp is enable on all interface.

But still, the Slingbox client (192.168.1.8) can not detect the slingbox device (10.2.1.10) in the dmz....

Here is my current config:

: Saved

ASA Version 8.3(1)

hostname xxxx

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

names

interface Vlan200

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan500

no forward interface Vlan800

nameif dmz

security-level 50

ip address 10.2.1.1 255.255.255.0

interface Vlan800

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 200

interface Ethernet0/1

switchport access vlan 500

interface Ethernet0/2

switchport access vlan 500

interface Ethernet0/3

switchport access vlan 800

interface Ethernet0/4

switchport access vlan 800

interface Ethernet0/5

switchport access vlan 800

interface Ethernet0/6

switchport access vlan 800

interface Ethernet0/7

switchport access vlan 500

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone CST -6

object network NAS1

host 10.2.1.10

object network Internet_Access

subnet 0.0.0.0 0.0.0.0

object network Internet_Access2

subnet 0.0.0.0 0.0.0.0

object network laptop

host 192.168.1.8

object-group service SlingBox tcp

port-object eq 5001

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended deny ip any any

access-list inside_access_in extended permit ip host 192.168.1.8 any

access-list inside_access_in extended permit tcp host 192.168.1.9 any object-group SlingBox

access-list inside_access_in extended permit ip host 192.168.1.8 host 192.168.1.15

access-list inside_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu dmz 1500

mtu inside 1500

ipv6 access-list inside_access_ipv6_in deny ip any any

ipv6 access-list dmz_access_ipv6_in deny ip any any

ipv6 access-list outside_access_ipv6_in deny ip any any

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

object network NAS1

nat (dmz,inside) static 192.168.1.15

object network Internet_Access

nat (inside,outside) dynamic interface

object network Internet_Access2

nat (dmz,outside) dynamic interface

object network laptop

nat (inside,dmz) static 192.168.1.8

access-group outside_access_in in interface outside

access-group outside_access_ipv6_in in interface outside

access-group dmz_access_in in interface dmz

access-group dmz_access_ipv6_in in interface dmz

access-group inside_access_in in interface inside

access-group inside_access_ipv6_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd auto_config outside

dhcpd address 10.2.1.8-10.2.1.12 dmz

dhcpd dns [ISP DNS1] [ISP DNS2] interface dmz

dhcpd enable dmz

dhcpd address 192.168.1.8-192.168.1.15 inside

dhcpd dns [ISP DNS1] [ISP DNS2] interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username xxxxx password xxxxxxxxxx encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:xxxxxxxxxxxxxxxxxxx

: end

Re: Setting up device in DMZ (SlingBox)

SPERTWCISCO — Tue, 04 May 2010 04:22:52 GMT

I have added:

access-list dmz_access_in extended permit ip host 10.2.1.10 host 192.168.1.8

but still doesn't work~

Please help!

Re: Setting up device in DMZ (SlingBox)

Jennifer Halim — Tue, 04 May 2010 11:47:08 GMT

Not too sure how slingbox works, but how does it automatically detect the server? What protocol and address does it use? Are you sure you can't configure the server ip address on the client?