1

I recently bought a Cisco ASA 5500 for my home office. I was planning on installing and configuring it this weekend, but it only just occurred to me that it probably doesn't support UPnP, and that I've grown quite fond of the UPnP stuff I have on my network (mostly using my PS3 to connect to my media server).

So, does anyone know if there is a way to do UPnP on an ASA (google didn't seem to think so), or if it's possible to somehow enable UPnP on a network that uses an ASA? I'm unsure if the router is integral to UPnP or if I could like setup a service on a machine, similar to how most people use their router for DHCP but I could just as easily run a DHCP service on one of my servers on the network to accomplish the same thing.

Chris May
  • 135
  • 1
  • 2
  • 6
  • UPNP Firewall holes and UPNP Media servers are two totally different things. I figured the Cisco guys would know this. You have to configure the ASA to set a Rendezvous Point for PIM Multicast routing. As to the exact steps required for that ... thats why I came here. Keep looking and I'll update this if I get it working. – Evan Langlois Nov 21 '15 at 03:02

3 Answers3

7

They can't, and probably never will, offer this function sorry. This may seem rude, it's not meant to be, but ASA's are professional kit, UPNP is a home oriented protocol - you'll rarely find pro kit doing things that people want in their homes and vice versa.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • Agreed...upnp was meant for home users that got confused at the idea of opening ports and configuring their systems to properly lock things down. – Bart Silverstrim Jul 08 '11 at 15:11
5

Yeah...ummmmm...that's not going to happen. I can't think of any respectable network engineer who would consider UPNP a feature and not a glaring security hole in their firewall. Remember that the ASA is not a home internet sharing gateway. It is a professional firewall designed to protect your network. Letting any unauthenticated client open up ports in the firewall would just be stupidity for Cisco to allow.

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
1

If you PS3 and your media server are on the same subnet, your ASA will not need to be involved at all. UPnP discovery is multicast, which doesn't need the participation or cooperation of your firewall as long as it's on the same segment.

If it is on different segments (that is, different interfaces off the firewall), you can probably still make it happen by configuring PIM on the ASA.

Re: other answers; the port-forwarding feature is definitely a "no-way-in-hell", I agree, but the multicast device discovery for media streaming should be just fine.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • >UPnP discovery is multicast, which doesn't need the participation or cooperation of your firewall as long as it's on the same segment. Hmmm, I had thought in the past the PS3 (and iTunes on my laptops) wouldn't see the media server (all on the same segment and subnet) until I enbled UPnP on the router. I'll give it a try and see what I get when I set it up. >Re: other answers; the port-forwarding feature is definitely a "no-way-in-hell", I agree, but the multicast device discovery for media streaming should be just fine. This is what I was going for, not to allow ports to be opened. – Chris May Jul 08 '11 at 16:01