12-11-2014 10:16 AM - edited 03-11-2019 10:13 PM
Hi,
i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
please help me how to configure port forwarding in cisco asa in CLI?
I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
thank you so much.
Solved! Go to Solution.
12-13-2014 04:14 AM
Hi,
Just to inform, in my NVR TCP Port 5000 and HTTP Port 8814.
I wants to access NVR with http://WAN-IP:8814/
12-13-2014 12:51 AM
anyone?
12-13-2014 03:16 AM
Hi Rizwan,
NVR camera(INSIDE)-------[ASA]--------(OUTSIDE)
10.192.192.100 : PORT y 94.56.178.222 : PORT x
Scenario 1: If the IP 94.56.178. 222 is present on ASA outside interface:
Create object for NVR camera real IP:
object network NVR-IP
host 10.192.192.100
nat (inside,outside) static interface service tcp/udp <real-port-y > <mapped-port-x>
Scenario 2:If IP 94.56.178. 222 is not present on ASA outside interface then:
Create object for public IP and NVR-IP, then configure nat.
object network PUBLIC-IP
host 94.56.178.222
object network NVR-IP
host 10.192.192.100
nat (inside,outside) static PUBLIC-IP service tcp/udp <real-port-y > <mapped-port-x>
Change config as per your requirement .
Thanks,
Rishabh
12-13-2014 03:21 AM
Hi, I have only single public IP on ASA outside.
NVR is inside with private IP
please advise
12-13-2014 03:23 AM
Hi Rizwan,
If you have camera on inside then scenario 1 in my last reply should suffice your requirement.
12-13-2014 03:37 AM
Hi,
I already have done same config like scenario 1 but it's working.
object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp www 8814
12-13-2014 03:43 AM
>>Make sure that you have access-list permitting traffic for NVR camera's private ip and tcp port 8814.
>>What is the packet tracer output for
packet-tracer input OUTSIDE tcp 2.2.2.2 12124 94.56.178.222 80 detailed
Can you paste the packet tracer output?
12-13-2014 03:59 AM
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.122 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2968e00, priority=0, domain=permit, deny=true
hits=184453, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
12-13-2014 04:14 AM
Hi,
Just to inform, in my NVR TCP Port 5000 and HTTP Port 8814.
I wants to access NVR with http://WAN-IP:8814/
12-13-2014 04:58 AM
object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp 5000 8814
also configure access list to allow tcp 10.192.192.100 5000.
and run packet capture:
packet-tracer in OUTSIDE tcp 100.1.1.1 23542 94.56.178.222 8814 detailed
12-13-2014 05:55 AM
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.122 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=1148, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
12-13-2014 09:19 AM
Packet tracer output is showing acl drop because you have entered wrong destination IP in packet tracer command. Use 94.56.178.222 as destination IP.
If you try http://94.56.178.222:8814 then firewall will unat this traffic to 10.192.192.100:5000
Check if the nat works.
object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp 5000 8814
12-13-2014 11:33 PM
ASA#
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.222 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
please advise
12-14-2014 01:27 AM
From the Packet tracer output it looks like UN NAT is not taking place.
Paste your NAT statement here.
12-14-2014 02:23 AM
!
object network obj-10.192.192.100
host 10.192.192.100
!
object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp 5000 8814
!
what else i should do? I am totally confused.
thank you for helping
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide