topic Yup, what you added was only in Network Security

Trouble

Dana_Alexis — Tue, 12 Mar 2019 08:52:06 GMT

Okay, I'm starting to get desperate. Sorry if I posted this on the wrong forum.

Here's my situation: There are several Cisco ASA 5506 x's deployed at our client's stores. What I'm trying to do is to make it possible to access the camera from any device by typing in the static ip with whatever port the camera is set with, like 8080. The problem is I don't know how to set up a Cisco ASA. My only experience with cisco are routers and switches.

The ASA is setup like this:

outside====>ASA firewall<====inside

The camera is connected on the inside interface on a switch.

The command I've tried for port forwarding are these:

object network camera
host 192.168.103.***

object service tcp_camera
service tcp source eq 80

nat (inside,outside) source dynamic any interface
access-list CamToInside permit tcp any host 192.168.103.*** eq www
access-group CamToInside in interface outside

But it didn't work, so I removed that. I've been researching for a really long time, and I'm getting nowhere. Can someone help me? I'll put the config one of the firewalls I'm working with has. I'll remove some of the info, though. These were the things done by other people before I started working here.

You should follow the steps

Rahul Govindan — Thu, 02 Feb 2017 01:34:04 GMT

You should follow the steps to create port forwarding rules here:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10

I tried that, but it didn't

Dana_Alexis — Thu, 02 Feb 2017 04:15:25 GMT

I tried that, but it didn't work, for some reason. I looked at the logs, and I was getting this when I tried accessing the camera through my phone's ip cam app:

I also tried using the computer at the office, but it's not working.

Here's how I set up the nat, in case it was a mis-configuration on my end.

Can you get the Cli of the

Rahul Govindan — Thu, 02 Feb 2017 10:19:25 GMT

Can you get the Cli of the nat you added? Also run a packet-tracer to simulate the asa processing. The command is below :

Packet-tracer input outside tcp 4.4.4.4 12345 <outside ip address > 8080 detailed

Sorry it took a while.

Dana_Alexis — Fri, 03 Feb 2017 04:40:55 GMT

Sorry it took a while. Timezone difference. Okay, it looks like the only thing added when I used ASDM to configure port forwarding were these:

object network camera_192.168.***.***
nat (inside,outside) static interface service tcp www 8080

I did not see a new access list at all. The packet tracer result is attached. It looks like it's getting dropped because of the implicit deny, if I'm reading it right.

Yup, what you added was only

Rahul Govindan — Fri, 03 Feb 2017 12:22:41 GMT

Yup, what you added was only the NAT. Your ACL's were correct when you added it the first time.

access-list CamToInside permit tcp any host 192.168.103.*** eq www
access-group CamToInside in interface outside

Okay, I'll try that Monday

Dana_Alexis — Sat, 04 Feb 2017 04:56:47 GMT

Okay, I'll try that Monday since I'm off today and tomorrow and get back to you.

Okay, I added the access-list

Dana_Alexis — Mon, 06 Feb 2017 07:20:13 GMT

Okay, I added the access-list, but for whatever reason, it's still being denied. I attached the packet tracer result. The commands that were added to the running config were these:

access-list Cam_Access extended permit tcp any host 192.168.***.*** eq www

access-group Cam_Access in interface outside

Actually, it's kinda weird it became an extended permit. I didn't type that at all.

What was the packet-tracer

Rahul Govindan — Mon, 06 Feb 2017 13:05:27 GMT

What was the packet-tracer command that you ran? Can you attach a santized config to this thread if possible to check?

Okay, I actually made an

Dana_Alexis — Tue, 07 Feb 2017 04:13:38 GMT

Okay, I actually made an error in the ip address for the object network, so I corrected it. But now, I'm getting a weird result. The packet tracer result shows that it should be working, but when I try to access the camera on my phone, it's not working. Could this be an issue not related to the asa config?

I attached the results I got when using packet-tracer input outside tcp 4.4.4.4 12345 (outside ip address) 8080 detailed command after fixing the ip address error.

If the packet-tracer shows

Rahul Govindan — Tue, 07 Feb 2017 05:02:59 GMT

If the packet-tracer shows the right output, try applying a packet capture on the outside and inside interface for traffic from your source public ip address while you do the actual test. This will show if there is something wrong with the actual traffic.

Okay, I actually tried

Dana_Alexis — Wed, 08 Feb 2017 03:50:05 GMT

Okay, I actually tried something that worked. I changed the port set on the camera. So all I really needed was the that thing you linked and the acl. Thanks!

Just one more question before I mark the correct stuff, so I can use it in the future. With the camera they have, I can set the port to anything other than 80. So, when setting up on the asdm, would the real port section be the one set on the camera itself?

If you change the camera port

Rahul Govindan — Wed, 08 Feb 2017 13:01:44 GMT

If you change the camera port, you would have to change the real port in the NAT statement and also in the ACL applied on the outside interface.

Okay. Thanks! Can you give me

Dana_Alexis — Thu, 09 Feb 2017 01:15:48 GMT

Okay. Thanks! Can you give me an example of the ACL? Like, let's say I have a camera at port 5010 at the address of 172.168.1.20. How would the ACL statement go? Would go something like:

access-list Outside_to_Cam extended permit tcp any host 172.168.1.20 eq 5010

then insert it to the outside interface?

Just want to know for future reference.

Yes. You would have the ACL

Rahul Govindan — Thu, 09 Feb 2017 01:36:49 GMT

Yes. You would have the ACL with source as 'any' and destination as the real ip address and real port of the camera.

Thank you!

Dana_Alexis — Thu, 09 Feb 2017 01:53:07 GMT

Thank you!