https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184686#M1066070 <P>Hi everyone!</P><P>&nbsp;</P><P>I have a problem with port frowarding to my IP camera from internet. My configuration looks good, but the port forwarding doesn't working from Internet. Config is below:</P><P>&nbsp;</P><P>Interface GigabitEthernet0/0.666<BR />vlan 666<BR />nameif IPCAM<BR />security-level 100<BR />ip address 10.10.7.129 255.255.255.252<BR /><BR />interface GigabitEthernet0/2<BR />nameif outside<BR />security-level 0<BR />ip address xxx.175.123.122 255.255.255.252</P><P><BR />object network IPCAM<BR />host 10.10.7.130</P><P>object network IPCAM<BR />nat (IPCAM,outside) static interface service tcp 8090 8090<BR /><BR />access-list gre_allow extended permit tcp any object IPCAM eq 8090</P><P>access-group gre_allow in interface outside</P><P>&nbsp;</P><P><BR />FW# packet-tracer input outside tcp 111.11.50.218 8090 xxx.175.123.122 8090</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in xxx.175.123.122 255.255.255.255 identity</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P><P>Version of ASA is 8.6</P><P>&nbsp;</P><P>&nbsp;</P><P>Can somebody tell me where is my&nbsp;mistake?&nbsp;</P> Fri, 21 Feb 2020 14:18:36 GMT Viktor S 2020-02-21T14:18:36Z https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184686#M1066070 <P>Hi everyone!</P><P>&nbsp;</P><P>I have a problem with port frowarding to my IP camera from internet. My configuration looks good, but the port forwarding doesn't working from Internet. Config is below:</P><P>&nbsp;</P><P>Interface GigabitEthernet0/0.666<BR />vlan 666<BR />nameif IPCAM<BR />security-level 100<BR />ip address 10.10.7.129 255.255.255.252<BR /><BR />interface GigabitEthernet0/2<BR />nameif outside<BR />security-level 0<BR />ip address xxx.175.123.122 255.255.255.252</P><P><BR />object network IPCAM<BR />host 10.10.7.130</P><P>object network IPCAM<BR />nat (IPCAM,outside) static interface service tcp 8090 8090<BR /><BR />access-list gre_allow extended permit tcp any object IPCAM eq 8090</P><P>access-group gre_allow in interface outside</P><P>&nbsp;</P><P><BR />FW# packet-tracer input outside tcp 111.11.50.218 8090 xxx.175.123.122 8090</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in xxx.175.123.122 255.255.255.255 identity</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P><P>Version of ASA is 8.6</P><P>&nbsp;</P><P>&nbsp;</P><P>Can somebody tell me where is my&nbsp;mistake?&nbsp;</P> Fri, 21 Feb 2020 14:18:36 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184686#M1066070 Viktor S 2020-02-21T14:18:36Z https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184701#M1066071 <P>Hi,</P><P>Try to run the packet tracer again but does not use the Firewall IP address.</P><P>Try to use Camera IP address.</P><P><SPAN>packet-tracer input outside tcp 111.11.50.218 8090 &nbsp;10.10.7.130 8090</SPAN></P> Fri, 15 Sep 2017 14:10:18 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184701#M1066071 Flavio Miranda 2017-09-15T14:10:18Z https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184703#M1066072 <P>Hi Flavio!</P><P>&nbsp;</P><P>Thanks, for you reply. When i try to use camera's IP address, i get DROP on NAT with&nbsp;rfp-check:</P><P>&nbsp;</P><P>FW1# packe input outside tcp 111.11.50.218 8090 10.10.7.130 8090</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 10.10.7.128 255.255.255.252 IPCAM</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group gre_allow in interface outside<BR />access-list gre_allow extended permit tcp any host 10.10.7.130 eq 8090<BR />Additional Information:</P><P>Phase: 3<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 4<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 5<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 6<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />object network IPCAM<BR />nat (IPCAM,outside) static interface service tcp 8090 8090<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: IPCAM<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P> Fri, 15 Sep 2017 14:15:15 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3184703#M1066072 Viktor S 2017-09-15T14:15:15Z https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3188810#M1066074 <P>Hi everyone!</P><P>&nbsp;</P><P>The root cause of the problem was in the nat rules. My manual nat blocked my auto nat, so solve the problem is after-auto in the manual nat command.&nbsp;</P> Mon, 25 Sep 2017 06:42:07 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa-8-6/m-p/3188810#M1066074 Viktor S 2017-09-25T06:42:07Z