Solved: Cannot Access NATed CCTV system on Guest from Outside on ASA 5505 Running 821-k8

Dean Romanelli · ‎07-11-2016

Hi All,

I have an ASA 5505 with 3 zones; Inside (100), Guest (50) and Outside (0). A 3rd party company is installing CCTV in the building. Our policy is not to have 3rd-party-managed CCTV systems on the inside network subnet. So, I've put the CCTV system on the Guest subnet/zone for security reasons, and I am static 1:1 NATing guest host IP to a free outside host IP on WAN subnet so that 10.255.99.88 maps to 107.xxx.xx.218 and can be accessed on ports 80, 8000 & 10554 from the outside (public internet).

name 10.255.99.88 CCTV
name 107.xxx.xx.218 CCTV-p

object-group service CCTV-Ports tcp
port-object eq 80
port-object eq 8000
port-object eq 10554

access-list outside_access_in extended permit tcp any host CCTV object-group CCTV-Ports

static (guest,outside) CCTV-p CCTV netmask 255.255.255.255

The end result is I can ping it remotely, but I cannot remote to the system over port 80 from the public internet, which is the primary management method to the CCTV system per the 3rd party company. Am I doing something wrong?

Full sanitized config is attached.

Marius Gunnerud · ‎07-11-2016

Your access list is incorrect for the ASA 8.2 version. You need to specify the public IP of the camera not the private IP.

access-list outside_access_in extended permit tcp any host CCTV-p object-group CCTV-Ports

You can also run a packet tracer to see if there are any rules that are dropping the packet

packet-tracer input outside tcp 4.2.2.2 12345 107.xxx.xx.218 80 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎07-11-2016