03-14-2012 06:56 AM - edited 03-11-2019 03:42 PM
I have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.
On the server in the DMZ, you can see the feed, along with any pc you connect to that network.
On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.
I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.
Anyone have experience with something similar?
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
Ethernet0/1 Inside 140.152.25.1 255.255.0.0 CONFIG
Ethernet0/3 DMZ 192.168.12.1 255.255.255.0 CONFIG
access-list inside_nat0_outbound extended permit ip 140.152.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list ROKVPN_splitTunnelAcl standard permit 192.168.12.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any echo
access-list DMZ_access_in extended permit icmp any any echo-reply
access-list DMZ_access_in extended permit icmp any any time-exceeded
access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 140.152.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.220.0 255.255.255.240
access-group inside_access_out in interface Inside
access-group DMZ_access_in in interface DMZ
03-14-2012 01:00 PM
I wonder if this is a NAT issue similar to what I am asking about here:
https://supportforums.cisco.com/message/3585157#3585157
Scenario seems similar in the sense that we both have services on different interfaces that we are trying to access.
03-14-2012 01:04 PM
Actually, I take that back. I'm no expert, but in looking at your screenshot, I wonder if there is a policy in place that is blocking private addresses (192.168.x.x in this case) from traversing the outside interface.
An address like that will be dropped at my outside interface.
03-15-2012 07:51 AM
jcarvaja,
yes I have. And I've removed all inspect commands, same issue.
03-14-2012 11:29 PM
Have you tried with :
inspect h323 h225
inspect h323 ras
03-15-2012 05:46 AM
Hello,
Can you post " sh service-policy inspect http " ?
Also is "inside_access_out" supposed to be in applied in the "in" direction of the inside interface ?
03-15-2012 07:50 AM
sh service-policy inspect http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http, packet 1510005, drop 0, reset-drop 0
I'm new to this ASA, I've questioned that access list myself, but am not positive why it has been set up the way it has. I've been on the phone with TAC, so far they have not been able to come up with an answer, but still working on it.
03-15-2012 10:14 AM
Just an FYI the problem was that there is a CSC module on the ASA. In the config was the command "csc fail-open" under a global-glass. This was allowing the return traffic to come back un-inspected, which prompted the "TCP closed by inspection" error.
Once the "csc fail-open" command was removed, cameras worked. I just set up an access-list to block the security traffic from reaching the CSC module.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide