This document provides a short overview of the limitations of Windows Streaming Media Services when using a Cisco ASA Firewall.

Protocols Used by Windows Media Services 9
Microsoft Windows Media Services 9 uses two protocols to deliver streaming media to client computers: RTSP (Real Time Streaming Protocol) on TCP port 554, and MMS (Microsoft Media Server) on TCP port 1755. If these ports on a firewall cannot be opened, port 80 (HTTP) can be used to stream content via a Windows plug-in. However, if any other service, such as IIS, is using port 80 on the same IP address, you cannot enable the plug-in.

Protocol Rollover
Earlier versions of Microsoft Media Player do not support RTSP, so Microsoft Media Services 9 features automatic protocol rollover. If a computer tries to connect using an earlier version of Windows Media Player using an MMS URL (mms://server/video.file), the best protocol is automatically negotiated.

Limitations
Many protocols open secondary TCP or UDP ports. The initial session negotiates a connection using a well known port number (0 – 1023) and dynamically assigns any additional port numbers. When application-inspection is used on a firewall, the firewall monitors sessions and dynamic port assignments for a session. By default, the ASA firewall configuration matches all application inspection traffic on all interfaces, however, rtsp-inspection does not support NAT, so rtsp-inspect must be disabled on the firewall.

Solution
Since all application inspection is on by default on Cisco ASA firewalls, the configuration must be changed. This can be done by changing the global inspection policy as shown below:

class inspection_default
no inspect rtsp

This can also be done using the ASDM using these steps from the Cisco website:

Step 1 Click Configuration > Firewall > Service Policy Rules.
Step 2 Add or edit a service policy rule according to the “Adding a Service Policy Rule for Through Traffic” section on page 23-4.  If you want to match non-standard ports, then create a new rule for the non-standard ports. See the “Default Inspection Policy” section for the standard ports for each inspection engine. You can combine multiple rules in the same service policy if desired, so you can create one rule to match certain traffic, and another to match different traffic. However, if traffic matches a rule that contains an inspection action, and then matches another rule that also has an inspection action, only the first matching rule is used.
Step 3 On the Edit Service Policy Rule > Rule Actions dialog box, click the Protocol Inspection tab.
For a new rule, the dialog box is called Add Service Policy Rule Wizard – Rule Actions.
Step 4 Check each inspection type that you want to apply.
Step 5 (Optional) Some inspection engines let you control additional parameters when you apply the inspection to the traffic. Click Configure for each inspection type to configure an inspect map.
You can either choose an existing map, or create a new one. You can predefine inspect maps from the Configuration > Firewall > Objects > Inspect Maps pane. See the “Inspect Map Field Descriptions” section for detailed information of each inspect map type.
Step 6 You can configure other features for this rule if desired using the other Rule Actions tabs.
Step 7 Click OK (or Finish from the wizard)

Tags: Network

Posted in Network
No Comments Yet Posted by