cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1634
Views
5
Helpful
15
Replies

ASA drops port forwarding

n.kiskeidze
Level 1
Level 1

I'm trying to forward port 4520 on my local IP Camera.

I have only two interfaces inside and outside with security levels 100 and 0.

I have already done nat overload.

In Access rules I have such situation : 

and in NAT :

but when I'm trying to connect from Source network or packet tracer it's dropping.

2 Accepted Solutions

Accepted Solutions

If that is the case,you can create one more object 

object service http
service tcp source eq 80

nat (inside,outside) source static LOCALCAM interface service http CAMERA

but your ACL would be 

access-list <outside In name> perit tcp any host 172.16.20.13 eq 80

View solution in original post

okay provide few output:-

packet-tracer input outside tcp 4.4.4.4 12345 public IP 4545

then take capture

cap capo interface outside match tcp any any eq 4545

cap capi interface inside match tcp any host 172.16.20.11 eq 80

run the test and provide output of

show cap capo

show cap capi

View solution in original post

15 Replies 15

Pranay Prasoon
Level 3
Level 3

Packet tracer rule shows that static port-forward rule is not taking a hit.

You should have static port forward rule on top of dynamic PAT rule. The dual NAT table goes from top to bottom.

Also I would suggest to put "show run nat"  and "show run object" in the output here. 

nat (inside,outside) source static LOCALCAM interface service any CAMERA
nat (inside,outside) source dynamic Inside_Hosts interface

object network Inside_Hosts
subnet 172.16.0.0 255.255.0.0
description Inside_hosts

object service CAMERA
service tcp source eq 4545

object network LOCALCAM
host 172.16.20.13

I'm trying to connect to it via web browser WANIP:4545 (I changed port) and also access list hits are increasing every time I'm trying to access.

you nat rule should be like this

nat (inside,outside) source static LOCALCAM interface service CAMERA CAMERA

and acl should be

access-list <outside In name> perit tcp any host 172.16.20.13 eq 4545

I made it :

show run nat :

nat (inside,outside) source static LOCALCAM interface service CAMERA CAMERA
nat (inside,outside) source dynamic Inside_Hosts interface

and show run obj :

object network Inside_Hosts
subnet 172.16.0.0 255.255.0.0
description Inside_hosts

object service CAMERA
service tcp source eq 4545

object network LOCALCAM
host 172.16.20.32

but it doesn't work. Camera should be viewed on web interface of remote PC. Maybe it needs to put 80 port in nat ?

Hi,

I am not sure how this application should work. But the camera is viewed on web interface, then it should be port 80 rule too.  

REMOTE PC ----> WANIP:4545 Port ---> LAN LAMERA IP:80 Port

So Camera from lan is viewed by LocalIP:80 port and from wan must be viewed WANIP:4545 port.

If that is the case,you can create one more object 

object service http
service tcp source eq 80

nat (inside,outside) source static LOCALCAM interface service http CAMERA

but your ACL would be 

access-list <outside In name> perit tcp any host 172.16.20.13 eq 80

I made such but it doesn't work :

show run nat
nat (inside,outside) source static LOCALCAM interface service http CAMERA
nat (inside,outside) source dynamic Inside_Hosts interface

show run obj
object network Inside_Hosts
subnet 172.16.0.0 255.255.0.0
description Inside_hosts

object service CAMERA
service tcp source eq 4545
object network LOCALCAM
host 172.16.20.11
object service http
service tcp source eq www

show run access-list
access-list outside_access_in extended permit tcp any host 172.16.20.11 eq 4545
access-list outside_access_in extended permit tcp any host 172.16.20.11 eq www

but it cant connect

okay provide few output:-

packet-tracer input outside tcp 4.4.4.4 12345 public IP 4545

then take capture

cap capo interface outside match tcp any any eq 4545

cap capi interface inside match tcp any host 172.16.20.11 eq 80

run the test and provide output of

show cap capo

show cap capi

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LOCALCAM interface service http CAMERA
Additional Information:
NAT divert to egress interface inside
Untranslate PUBLIC IP/4545 to 172.16.20.11/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 172.16.20.11 eq www
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static LOCALCAM interface service http CAMERA
Additional Information:
Static translate 4.4.4.4/12345 to 4.4.4.4/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static LOCALCAM interface service http CAMERA
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9425429, packet dispatched to next module

Result:
output-interface: inside
output-status: up
output-line-status: up
Action: allow

show cap capo 

1 packet captured

1: 12:00:10.532580 4.4.4.4.12345 > WANIP.4545: S 102270077:102270077(0) win 8192
1 packet shown

show cap capi

0 packet captured

0 packet shown

After these commands it suddenly connected

I didn't change anything since last post it's very strange

yes the capture only showed dummy packet tracer traffic , I believe it worked with real traffic. If issue has been resolved, mark this thread as solved. 

Yes but why does it need time to work 

Rules were correct. I guess it took some time for test PC to generate traffic. 

Review Cisco Networking for a $25 gift card