38-20
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 38 Configuring Inspection for Voice and Video Protocols
RTSP Inspection
Note For Cisco IP/TV, use RTSP TCP port 554 and TCP 8554.
RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The
adaptive security appliance only supports TCP, in conformity with RFC 2326. This TCP control channel
is used to negotiate the data channels that is used to transmit audio/video traffic, depending on the
transport mode that is configured on the client.
The supported RDT transports are: rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp.
The adaptive security appliance parses Setup response messages with a status code of 200. If the
response message is travelling inbound, the server is outside relative to the adaptive security appliance
and dynamic channels need to be opened for connections coming inbound from the server. If the
response message is outbound, then the adaptive security appliance does not need to open dynamic
channels.
Because RFC 2326 does not require that the client and server ports must be in the SETUP response
message, the adaptive security appliance keeps state and remembers the client ports in the SETUP
message. QuickTime places the client ports in the SETUP message and then the server responds with
only the server ports.
RTSP inspection does not support PAT or dual-NAT. Also, the adaptive security appliance cannot
recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages.
Using RealPlayer
When using RealPlayer, it is important to properly configure transport mode. For the adaptive security
appliance, add an access-list command from the server to the client or vice versa. For RealPlayer, change
transport mode by clicking Options>Preferences>Transport>RTSP Settings.
If using TCP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use
TCP for all content check boxes. On the adaptive security appliance, there is no need to configure the
inspection engine.
If using UDP mode on the RealPlayer, select the Use TCP to Connect to Server and Attempt to use
UDP for static content check boxes, and for live content not available via Multicast. On the adaptive
security appliance, add an inspect rtsp port command.
Restrictions and Limitations
The following restrictions apply to the RSTP inspection.
• The adaptive security appliance does not support multicast RTSP or RTSP messages over UDP.
• The adaptive security appliance does not have the ability to recognize HTTP cloaking where RTSP
messages are hidden in the HTTP messages.
• The adaptive security appliance cannot perform NAT on RTSP messages because the embedded IP
addresses are contained in the SDP files as part of HTTP or RTSP messages. Packets could be
fragmented and adaptive security appliance cannot perform NAT on fragmented packets.
• With Cisco IP/TV, the number of translates the adaptive security appliance performs on the SDP part
of the message is proportional to the number of program listings in the Content Manager (each
program listing can have at least six embedded IP addresses).
To Next Page
Loading...
