cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2430
Views
0
Helpful
1
Replies

Remote Access through Cisco ASA to Plex on Debian Linux

rllove01
Level 1
Level 1

Server Version#: Version 1.18.0.1944
Player Version#: Version 4.10.1

 

I have PMS installed on Debian Linux. I’m able to reach it when using <local_IP>:32400/web. I’m also able to see the server when I log into plex.tv. However, I’m having issues getting remote access to work.

 

I’m using a Cisco ASA as the FW and my internet is Verizon FIOS. I’ve set up port-forwarding on the ASA to allow the traffic to be routed to the back-end plex server. However, it seems that no matter what port I try to forward, it doesn’t work. I try to use canyouseeme.org and that never seems to show my port as open. I honestly don’t know if that is a valid test or not at this point.

The hardest part about troubleshooting this is that I don’t see any traffic hitting my FW from the outside network destined to my PMS. I did a tcpdump on my PMS and the only traffic it sees going to it on port 32400 seems to be from my local desktop. The packets increase substantially when I hit retry on the remote access tab on plex.tv. However, as I stated, the only traffic my server seems to see in the tcpdump is from my local desktop. There seems to be a correlation but I don’t know why. I may not fully understand how the connections are initiated or flow completely for Plex but I would expect the remote access to be initiated from the outside network (Internet) in to my local LAN. I’m not seeing that.

 

I also checked and I don’t see firewalld or UFW running on the Debian box. I assume these are not enabled by default?

 

The one thing I do see on my FW logs is the log message below.
6 Oct 15 2019 06:49:09 110002 192.168.69.166 57002 Failed to locate egress interface for TCP from INSIDE:192.168.69.166/57002 to 108.44.XX.XX/22001

I’m not certain why this log is popping up and a part of me does wonder if it is a huge reason if not “the” reason that this isn’t work.

 

 

TCPDUMP INFO
11:17:20.872299 IP 192.168.69.166.32400 > 192.168.69.20.58054: Flags [P.], seq 214032:215473, ack 123629, win 1452, length 1441
11:17:21.076387 IP 192.168.69.20.58054 > 192.168.69.166.32400: Flags [.], ack 215473, win 16064, length 0
11:17:25.394315 IP 192.168.69.166.32400 > 192.168.69.20.57725: Flags [P.], seq 3141:3173, ack 505, win 249, length 32
11:17:25.397770 IP 192.168.69.20.57725 > 192.168.69.166.32400: Flags [P.], seq 505:541, ack 3173, win 16401, length 36
11:17:25.397819 IP 192.168.69.166.32400 > 192.168.69.20.57725: Flags [.], ack 541, win 249, length 0
11:17:26.510765 IP 192.168.69.166.32400 > 192.168.69.20.57725: Flags [P.], seq 3173:3327, ack 541, win 249, length 154
11:17:26.520610 IP 192.168.69.20.58054 > 192.168.69.166.32400: Flags [P.], seq 123629:124463, ack 215473, win 16064, length 834
11:17:26.520654 IP 192.168.69.166.32400 > 192.168.69.20.58054: Flags [.], ack 124463, win 1452, length 0
11:17:26.522860 IP 192.168.69.166.32400 > 192.168.69.20.58054: Flags [P.], seq 215473:215776, ack 124463, win 1452, length 303
11:17:26.717046 IP 192.168.69.20.57725 > 192.168.69.166.32400: Flags [.], ack 3327, win 16362, length 0
11:17:26.726550 IP 192.168.69.20.58054 > 192.168.69.166.32400: Flags [.], ack 215776, win 16425, length 0
11:17:27.117215 IP 192.168.69.166.32400 > 192.168.69.20.57725: Flags [P.], seq 3327:3589, ack 541, win 249, length 262
11:17:27.317167 IP 192.168.69.20.57725 > 192.168.69.166.32400: Flags [.], ack 3589, win 16297, length 0

 

ASA INFO
object network Plex_Server
host 192.168.69.169
object network Plex_Server
nat (INSIDE,OUTSIDE) static interface net-to-net service tcp 32400 21298

object network Plex_Server2
host 192.168.69.166
object network Plex_Server2
nat (INSIDE,OUTSIDE) static interface net-to-net service tcp 32400 22001

access-group OUTSIDE_access_in in interface OUTSIDE
access-list OUTSIDE_access_in extended permit tcp any object Plex_Server2 eq 22001
access-list OUTSIDE_access_in extended permit tcp any object Plex_Server eq 21298

 

interface GigabitEthernet1/1
nameif OUTSIDE
ip address 108.44.X.X/24 (DHCP)

 

interface GigabitEthernet1/2
nameif INSIDE
security-level 100
ip address 192.168.69.1 255.255.255.0

1 Reply 1

Hi,
If 32400 is the real port of the server, you need to reference that port in the ACL rather than the natted port.

HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: