06-30-2016 02:34 AM - edited 03-12-2019 12:58 AM
Hi
I tried to configure Port forwarding to Local DVR to Public IP address but its not working
Device Cisco ASA5516-XSFR (IOS 9.12)
Public IP address xxx.xxx.xxx.12x
Local IP address 10.10.8.25
Ports need to be forwarder : 554 ,8000, 81 all are TCP Ports
find the configuration
object network DVR1
host 192.168.8.11
object network DVR1
nat (any,outside) static interface service tcp 8000 8000
object network DVR1-554
nat (any,outside) static interface service tcp rtsp rtsp
object network DVR-80
nat (inside,outside) static interface service tcp 81 81
access-list inbound extended permit tcp any eq rtsp object DVR1-554 eq rtsp
access-list inbound extended permit tcp any eq 81 object DVR1 eq 81
access-list inbound extended permit tcp any eq 8000 object DVR1 eq 8000
access-group inbound in interface outsidse
I tried to change the configuration but Port forwarding is not happening Please do let me know where i am missing the configuration
Thanks in advance
Javahar
06-30-2016 06:25 AM
Hi,
Presuming that all the "object" configurations have the "host 192.168.8.11" under them then I it seems to me that the only problem is in your "access-list" configurations.
Please remove the source ports that you have defined in your current "access-list"
This configuration (problematic section marked with red)
access-list inbound extended permit tcp any eq rtsp object DVR1-554 eq rtsp
access-list inbound extended permit tcp any eq 81 object DVR1 eq 81
access-list inbound extended permit tcp any eq 8000 object DVR1 eq 8000
Needs to be this
access-list inbound extended permit tcp any object DVR1-554 eq rtsp
access-list inbound extended permit tcp any object DVR1 eq 81
access-list inbound extended permit tcp any object DVR1 eq 8000
With the current rule the traffic would only be allowed if the connections source port was the same as the destination port and that will not happen.
After you have changed the configuratoins (or even before it) you can use the "packet-tracer" command to test your configurations and find the problems
Example of the format of testing connection attempts from behind "outside" interface
packet-tracer input outside tcp <source ip> 12345 <public nat IP> <destination port>
I used the source port 12345 randomly. It can really be anything you like. Source IP address can be anything also but naturally according to the ASAs routing table it has to be located behind the "outside" interface.
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide