https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080915#M913768 <HTML><HEAD></HEAD><BODY><P>I'm not sure if you cn create a custom inspect or not (certainly would make sense that you can), but you could also use FTP inspection and change the inspection to port 5858. Here's a link on how to do that.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 29 Aug 2008 14:21:27 GMT Collin Clark 2008-08-29T14:21:27Z https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080914#M913767 <P>Hello,</P><P>I have a customer who purchased a GE IP Camera / DVR for one of their remote sites and we're having problems accessing it from behind our ASA 5520s 7.2(4).</P><P></P><P>What I've discovered is that when any user connects to the DVR's external IP, the webpage loads and then the DVR creates a seperate inbound connection on port 5858 (TCP or UDP are selectable)which carries the video stream.</P><P></P><P>Outbound users are PAT'd to a single external IP, so as you can see... we have an issue.</P><P>GE is saying that port 5858 needs to be forwarded, but I don't see the feasibility of this in an environment where there are multiple users that would need this port forwarded without assigning them a static external IP. </P><P></P><P>Is there an inspect statement I can enter to make this work? This scenario is very similar to how a PPTP VPN works... TCP connection on port 1723 and then the server initiates an inbound GRE tunnel, The "inspect PPTP" command allows this to work. </P><P></P><P>I've found the connection will work if I statically map a host to an external IP and then put an explicit ACL statement in allowing the DVR IP to the external IP on TCP port 5858.</P><P></P><P>What can I do at this point to make it work? Can I create a custom "Inspect"? The IP of the DVR is static if that makes any difference.</P><P>Thanks!</P> Mon, 11 Mar 2019 13:37:39 GMT https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080914#M913767 rtjensen4 2019-03-11T13:37:39Z https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080915#M913768 <HTML><HEAD></HEAD><BODY><P>I'm not sure if you cn create a custom inspect or not (certainly would make sense that you can), but you could also use FTP inspection and change the inspection to port 5858. Here's a link on how to do that.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 29 Aug 2008 14:21:27 GMT https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080915#M913768 Collin Clark 2008-08-29T14:21:27Z https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080916#M913770 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. We are already using the FTP inspection with it's default settings. Is it possible to create another "Instance" of it? Thanks.</P></BODY></HTML> Fri, 29 Aug 2008 14:27:12 GMT https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080916#M913770 rtjensen4 2008-08-29T14:27:12Z https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080917#M913772 <HTML><HEAD></HEAD><BODY><P>Yes you can. See the above link from collin_clark and scroll down.</P><P></P><P>Configure FTP protocol inspection on non standard TCP port </P><P>You can configure the FTP Protocol Inspection for non standard TCP ports with these configuration lines (replace XXXX with the new port number):</P><P></P><P>access-list ftp-list extended permit tcp any any eq XXXX</P><P>!</P><P>class-map ftp-class</P><P> match access-list ftp-list</P><P>!</P><P>policy-map global_policy</P><P> class ftp-class</P><P> inspect ftp</P><P></P></BODY></HTML> Wed, 03 Sep 2008 11:56:48 GMT https://community.cisco.com/t5/network-security/port-forwarding-issue/m-p/1080917#M913772 ofwegen 2008-09-03T11:56:48Z