1 Reply Latest reply: May 5, 2010 7:04 PM by mmmsling RSS

    Connecting to a Cisco Firewall???

    mmmsling
      Hello,
      I have recently purchase a Cisco ASA5505 firewall and I want to put my SlingBox HD Pro in a DMZ.
      Here is the current setup:
      1.  Inside zone - where my laptop with SlingMedia client is installed and will be viewing the video feed from SlingBox.  The inside zone will have access to DMZ and Outside zone (Internet) but each zone separated by the ASA5505 firewall.
      2.  DMZ Zone - This is where I plan to put my Slingbox! This zone will have Outside zone (Internet) access.  Only inside zone devices can communicate to Slingbox and not the other way around.
      3.  Outside Zone - This zone is connected to my ISP, hence, internet.  I will have to setup some kind of NAT and ACL to allow slingbox to communicate into the DMZ zone, as natively, Outside zone can't communicate to DMZ zone.
      I have having great deal of problem getting this setup to work.  SlingMedia client seems to insist that the Slingbox be in the same network and find it automatically.  Is it possible to tell the SlingMedia Client where the SlingBox is located (IP)? Since I am putting the SlingBox in DMZ and laptop with SlingMedia Client in Inside zone, it will not find it automatically.
      HELP!!  I love my slingbox and infact, I am using it right now to watch NHL Playoff in my local university campus! How cool is that!
        • Re: Connecting to a Cisco Firewall???
          mmmsling

          This article and some natting got it going for me!  I am very happy now!

           

          http://support.slingbox.com/get/KB-005052.html

           

          Hopefully this thread will be able to help others with similar issue.

           

          Here is the config file:

           

           

          : Saved
          :
          ASA Version 8.3(1)
          !
          hostname xxxx
          enable password xxxxxxx encrypted
          passwd xxxxxxxxxxx encrypted
          names
          !
          interface Vlan200
          nameif outside
          security-level 0
          ip address dhcp setroute
          !
          interface Vlan500
          no forward interface Vlan800
          nameif dmz
          security-level 50
          ip address 10.2.1.1 255.255.255.0
          !
          interface Vlan800
          nameif inside
          security-level 100
          ip address 192.168.1.1 255.255.255.0
          !
          interface Ethernet0/0
          switchport access vlan 200
          !
          interface Ethernet0/1
          switchport access vlan 500
          switchport protected
          !
          interface Ethernet0/2
          switchport access vlan 500
          switchport protected
          !
          interface Ethernet0/3
          switchport access vlan 800
          !
          interface Ethernet0/4
          switchport access vlan 800
          !
          interface Ethernet0/5
          switchport access vlan 800
          !
          interface Ethernet0/6
          switchport access vlan 800
          !
          interface Ethernet0/7
          switchport access vlan 500
          switchport protected
          !
          boot system disk0:/asa831-k8.bin
          ftp mode passive
          clock timezone xxxx
          object network Internet_Access
          subnet 0.0.0.0 0.0.0.0
          object network Internet_Access2
          subnet 0.0.0.0 0.0.0.0
          object network laptop
          host 192.168.1.8
          object network SlingBoxHDPRO
          host 10.2.1.10
          object-group service SlingBox tcp
          port-object eq 5001
          access-list outside_access_in extended deny ip any any
          access-list inside_access_in extended permit ip host 192.168.1.8 any
          access-list inside_access_in extended deny ip any any
          access-list dmz_access_in extended deny ip 10.2.1.0 255.255.255.0 192.168.1.0 255.255.255.0                                          
          access-list dmz_access_in extended permit ip host 10.2.1.10 any
          access-list dmz_access_in extended deny ip any any
          pager lines 24
          logging enable
          logging asdm informational
          mtu outside 1500
          mtu dmz 1500
          mtu inside 1500
          ipv6 access-list inside_access_ipv6_in deny ip any any
          ipv6 access-list dmz_access_ipv6_in deny ip any any
          ipv6 access-list outside_access_ipv6_in deny ip any any
          icmp unreachable rate-limit 1 burst-size 1
          asdm image disk0:/asdm-631.bin
          no asdm history enable
          arp timeout 14400
          !
          object network Internet_Access
          nat (inside,outside) dynamic interface
          object network Internet_Access2
          nat (dmz,outside) dynamic interface
          object network laptop
          nat (inside,dmz) static 192.168.1.8
          object network SlingBoxHDPRO
          nat (dmz,inside) static 192.168.1.14
          access-group outside_access_in in interface outside
          access-group outside_access_ipv6_in in interface outside
          access-group dmz_access_in in interface dmz
          access-group dmz_access_ipv6_in in interface dmz
          access-group inside_access_in in interface inside
          access-group inside_access_ipv6_in in interface inside
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
          timeout tcp-proxy-reassembly 0:01:00
          dynamic-access-policy-record DfltAccessPolicy
          aaa authentication ssh console LOCAL
          http server enable
          http 192.168.1.0 255.255.255.0 inside
          no snmp-server location
          no snmp-server contact
          snmp-server enable traps snmp authentication linkup linkdown coldstart
          crypto ipsec security-association lifetime seconds 28800
          crypto ipsec security-association lifetime kilobytes 4608000
          telnet timeout 5
          ssh 192.168.1.0 255.255.255.0 inside
          ssh timeout 30
          ssh version 2
          console timeout 0
          dhcpd auto_config outside
          !
          dhcpd address 10.2.1.8-10.2.1.12 dmz
          dhcpd dns [DNS1] [DNS2] interface dmz
          dhcpd enable dmz
          !
          dhcpd address 192.168.1.8-192.168.1.15 inside
          dhcpd dns [DNS1] [DNS2] interface inside
          dhcpd enable inside
          !
          threat-detection basic-threat
          threat-detection statistics host
          threat-detection statistics port
          threat-detection statistics protocol
          threat-detection statistics access-list
          no threat-detection statistics tcp-intercept
          webvpn
          username xxxx password xxxxxxxxxx encrypted
          !
          class-map inspection_default
          match default-inspection-traffic
          !
          !
          policy-map type inspect dns preset_dns_map
          parameters
            message-length maximum client auto
            message-length maximum 512
          policy-map global_policy
          class inspection_default
            inspect dns preset_dns_map
            inspect ftp
            inspect h323 h225
            inspect h323 ras
            inspect ip-options
            inspect netbios
            inspect rsh
            inspect rtsp
            inspect skinny
            inspect esmtp
            inspect sqlnet
            inspect sunrpc
            inspect tftp
            inspect sip
            inspect xdmcp
          !
          service-policy global_policy global
          prompt hostname context
          call-home
          profile CiscoTAC-1
            no active
            destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService                                             
            destination address email callhome@cisco.com
            destination transport-method http
            subscribe-to-alert-group diagnostic
            subscribe-to-alert-group environment
            subscribe-to-alert-group inventory periodic monthly
            subscribe-to-alert-group configuration periodic monthly
            subscribe-to-alert-group telemetry periodic daily
          Cryptochecksum:xxxxxxx
          : end