07-11-2016 01:09 PM - edited 03-12-2019 01:00 AM
Hi All,
I have an ASA 5505 with 3 zones; Inside (100), Guest (50) and Outside (0). A 3rd party company is installing CCTV in the building. Our policy is not to have 3rd-party-managed CCTV systems on the inside network subnet. So, I've put the CCTV system on the Guest subnet/zone for security reasons, and I am static 1:1 NATing guest host IP to a free outside host IP on WAN subnet so that 10.255.99.88 maps to 107.xxx.xx.218 and can be accessed on ports 80, 8000 & 10554 from the outside (public internet).
name 10.255.99.88 CCTV
name 107.xxx.xx.218 CCTV-p
object-group service CCTV-Ports tcp
port-object eq 80
port-object eq 8000
port-object eq 10554
access-list outside_access_in extended permit tcp any host CCTV object-group CCTV-Ports
static (guest,outside) CCTV-p CCTV netmask 255.255.255.255
The end result is I can ping it remotely, but I cannot remote to the system over port 80 from the public internet, which is the primary management method to the CCTV system per the 3rd party company. Am I doing something wrong?
Full sanitized config is attached.
Solved! Go to Solution.
07-11-2016 01:58 PM
Your access list is incorrect for the ASA 8.2 version. You need to specify the public IP of the camera not the private IP.
access-list outside_access_in extended permit tcp any host CCTV-p object-group CCTV-Ports
You can also run a packet tracer to see if there are any rules that are dropping the packet
packet-tracer input outside tcp 4.2.2.2 12345 107.xxx.xx.218 80 detail
--
Please remember to select a correct answer and rate helpful posts
07-11-2016 01:58 PM
Your access list is incorrect for the ASA 8.2 version. You need to specify the public IP of the camera not the private IP.
access-list outside_access_in extended permit tcp any host CCTV-p object-group CCTV-Ports
You can also run a packet tracer to see if there are any rules that are dropping the packet
packet-tracer input outside tcp 4.2.2.2 12345 107.xxx.xx.218 80 detail
--
Please remember to select a correct answer and rate helpful posts
07-11-2016 06:39 PM
Thank you Marius. That did the trick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide