Google Chromecast has left a wake of positive and negative thoughts recently. This 35 dollar TV streaming device offers quite a bit of functionality to your TV. If you are like myself and have a firewall at home you will need to create some rules. Google require their Chromecast to access their DNS and NTP servers. This post includes the ASA configuration – this done on an ASA 5515-X. When I get around to booting up the SRX, I will post up a configuration.
access-list ACL-INSIDE extended permit udp object-group OBJ-CHROMECAST any eq ntp access-list ACL-INSIDE extended permit udp object-group OBJ-CHROMECAST object-group DNS-CHROMECAST eq domain
Simple enough access-lists. Now for the objects which they reference.
object-group network DNS-CHROMECAST network-object host 220.127.116.11 object-group network OBJ-CHROMECAST network-object host 192.168.1.200
There you have it. A nice easily configuration for the Chromecast. It is a little bit of a shame that Australians need to use Google DNS servers. Australia is geographically located a little distance away from Google’s DNS servers. It is necessarily not the best due to latency and your own ISP may be much more responsive.
Enjoy your Chromecast behind your ASA Firewall – SRX people stay tuned!
8 thoughts on “Cisco ASA and Google Chromecast”
I’m not so sure that Australia is that far from a Google DNS server. I’m only 35 ms from one, which would imply that they have anycasted it to a server in Sydney.
I have found it still to be rather slower (200-400ms) than other options. Enough to be frustrating at times!
I suppose it just depends 🙂
Perhaps you need better ISP, something with a decent peering policy 😉
Yeah, anycasted for sure
I wonder if Google is using the DNS lookup for analytics. if the Chromecast was looking up a unique DNS name then that would be a way to count usage.
Yeah – I agree. You can look at the analytics google pull from general website stats and think they aren’t using that as it is. Without a doubt they will be harvesting Chromecast data if they make it mandatory for use. Makes you wonder what information is passing through to the overlords as it is. 35 dollars is a cheap entry point for targeted marketing!
Can you do this with a Cisco877?….