RTSP Inspection
Because RFC 2326 does not require that the client and server ports must be in the SETUP response
message, the FWSM keeps state and remembers the client ports in the SETUP message. QuickTime
places the client ports in the SETUP message and then the server responds with only the server ports.
RTSP inspection supports PAT. It does not support dual-NAT, however. Also, the FWSM cannot
recognize HTTP cloaking, which hides RTSP messages in the HTTP messages.
Using RealPlayer
When using RealPlayer, it is important to properly configure transport mode. For the FWSM, add an
access-list command from the server to the client or vice versa. For RealPlayer, change transport mode
by choosing Options > Preferences > Transport > RTSP Settings.
If using TCP mode on the RealPlayer, check the Use TCP to Connect to Server and Attempt to use
TCP for all content check boxes. On the FWSM, there is no need to configure the inspection engine.
If using UDP mode on the RealPlayer, check the Use TCP to Connect to Server and Attempt to use
UDP for static content check boxes, and for live content not available via Multicast. On the FWSM,
add an inspect rtsp port command.
Restrictions and Limitations
The following restrictions apply to RTSP inspection:
•
•
•
•
•
Enabling and Configuring RTSP Inspection
To enable or configure RTSP application inspection, perform the following steps:
Determine the ports receiving RTSP SETUP messages behind the FWSM. The default ports are TCP
Step 1
ports 554 and 8554.
Create an access list to identify the RTSP SETUP messages. Use the access-list extended command to
Step 2
do so, adding an ACE to match each port, as follows.
hostname(config)# access-list acl-name any any tcp eq port_number
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-74
The FWSM does not support multicast RTSP or RTSP messages over UDP.
The FWSM does not have the ability to recognize HTTP cloaking, which hides RTSP messages in
the HTTP messages.
The FWSM cannot perform NAT on RTSP messages because the embedded IP addresses are
contained in the SDP files as part of HTTP or RTSP messages. Packets could be fragmented and
FWSM cannot perform NAT on fragmented packets.
With Cisco IP/TV, the number of NATs the FWSM performs on the SDP part of the message is
proportional to the number of program listings in the Content Manager (each program listing can
have at least six embedded IP addresses).
You can configure NAT for Apple QuickTime 4 or RealPlayer. Cisco IP/TV only works with NAT
if the Viewer and Content Manager are on the outside network and the server is on the inside
network.
Chapter 22
Applying Application Layer Protocol Inspection
OL-20748-01