01-09-2017 10:14 PM - edited 03-12-2019 01:45 AM
I'm trying to forward port 4520 on my local IP Camera.
I have only two interfaces inside and outside with security levels 100 and 0.
I have already done nat overload.
In Access rules I have such situation :
and in NAT :
but when I'm trying to connect from Source network or packet tracer it's dropping.
Solved! Go to Solution.
01-10-2017 11:24 PM
If that is the case,you can create one more object
object service http
service tcp source eq 80
nat (inside,outside) source static LOCALCAM interface service http CAMERA
but your ACL would be
access-list <outside In name> perit tcp any host 172.16.20.13 eq 80
01-10-2017 11:48 PM
okay provide few output:-
packet-tracer input outside tcp 4.4.4.4 12345 public IP 4545
then take capture
cap capo interface outside match tcp any any eq 4545
cap capi interface inside match tcp any host 172.16.20.11 eq 80
run the test and provide output of
show cap capo
show cap capi
01-10-2017 12:06 AM
Packet tracer rule shows that static port-forward rule is not taking a hit.
You should have static port forward rule on top of dynamic PAT rule. The dual NAT table goes from top to bottom.
Also I would suggest to put "show run nat" and "show run object" in the output here.
01-10-2017 05:11 AM
nat (inside,outside) source static LOCALCAM interface service any CAMERA
nat (inside,outside) source dynamic Inside_Hosts interface
object network Inside_Hosts
subnet 172.16.0.0 255.255.0.0
description Inside_hostsobject service CAMERA
service tcp source eq 4545object network LOCALCAM
host 172.16.20.13
I'm trying to connect to it via web browser WANIP:4545 (I changed port) and also access list hits are increasing every time I'm trying to access.
01-10-2017 09:53 PM
you nat rule should be like this
nat (inside,outside) source static LOCALCAM interface service CAMERA CAMERA
and acl should be
access-list <outside In name> perit tcp any host 172.16.20.13 eq 4545
01-10-2017 10:50 PM
I made it :
show run nat :
nat (inside,outside) source static LOCALCAM interface service CAMERA CAMERA
nat (inside,outside) source dynamic Inside_Hosts interface
and show run obj :
object network Inside_Hosts
subnet 172.16.0.0 255.255.0.0
description Inside_hostsobject service CAMERA
service tcp source eq 4545object network LOCALCAM
host 172.16.20.32
but it doesn't work. Camera should be viewed on web interface of remote PC. Maybe it needs to put 80 port in nat ?
01-10-2017 10:59 PM
Hi,
I am not sure how this application should work. But the camera is viewed on web interface, then it should be port 80 rule too.
01-10-2017 11:04 PM
REMOTE PC ----> WANIP:4545 Port ---> LAN LAMERA IP:80 Port
So Camera from lan is viewed by LocalIP:80 port and from wan must be viewed WANIP:4545 port.
01-10-2017 11:24 PM
If that is the case,you can create one more object
object service http
service tcp source eq 80
nat (inside,outside) source static LOCALCAM interface service http CAMERA
but your ACL would be
access-list <outside In name> perit tcp any host 172.16.20.13 eq 80
01-10-2017 11:44 PM
I made such but it doesn't work :
show run nat
nat (inside,outside) source static LOCALCAM interface service http CAMERA
nat (inside,outside) source dynamic Inside_Hosts interfaceshow run obj
object network Inside_Hosts
subnet 172.16.0.0 255.255.0.0
description Inside_hostsobject service CAMERA
service tcp source eq 4545
object network LOCALCAM
host 172.16.20.11
object service http
service tcp source eq wwwshow run access-list
access-list outside_access_in extended permit tcp any host 172.16.20.11 eq 4545
access-list outside_access_in extended permit tcp any host 172.16.20.11 eq www
but it cant connect
01-10-2017 11:48 PM
okay provide few output:-
packet-tracer input outside tcp 4.4.4.4 12345 public IP 4545
then take capture
cap capo interface outside match tcp any any eq 4545
cap capi interface inside match tcp any host 172.16.20.11 eq 80
run the test and provide output of
show cap capo
show cap capi
01-11-2017 12:02 AM
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LOCALCAM interface service http CAMERA
Additional Information:
NAT divert to egress interface inside
Untranslate PUBLIC IP/4545 to 172.16.20.11/80Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 172.16.20.11 eq www
Additional Information:Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static LOCALCAM interface service http CAMERA
Additional Information:
Static translate 4.4.4.4/12345 to 4.4.4.4/12345Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static LOCALCAM interface service http CAMERA
Additional Information:Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9425429, packet dispatched to next moduleResult:
output-interface: inside
output-status: up
output-line-status: up
Action: allow
show cap capo
1 packet captured
1: 12:00:10.532580 4.4.4.4.12345 > WANIP.4545: S 102270077:102270077(0) win 8192
1 packet shownshow cap capi
0 packet captured
0 packet shown
01-11-2017 12:04 AM
After these commands it suddenly connected
I didn't change anything since last post it's very strange
01-11-2017 12:07 AM
yes the capture only showed dummy packet tracer traffic , I believe it worked with real traffic. If issue has been resolved, mark this thread as solved.
01-11-2017 12:09 AM
Yes but why does it need time to work
01-11-2017 12:13 AM
Rules were correct. I guess it took some time for test PC to generate traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide