Solved: From the Packet tracer output

haider.rizwan · ‎12-11-2014

Hi,

i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.

please help me how to configure port forwarding in cisco asa in CLI?

I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100

thank you so much.

haider.rizwan · ‎12-13-2014

Hi,

Just to inform, in my NVR TCP Port 5000 and HTTP Port 8814.

I wants to access NVR with http://WAN-IP:8814/

View solution in original post

haider.rizwan · ‎12-13-2014

anyone?

Rishabh Seth · ‎12-13-2014

Hi Rizwan,

NVR camera(INSIDE)-------[ASA]--------(OUTSIDE)

10.192.192.100 : PORT y 94.56.178.222 : PORT x

Scenario 1: If the IP 94.56.178. 222 is present on ASA outside interface:

Create object for NVR camera real IP:

object network NVR-IP
host 10.192.192.100
nat (inside,outside) static interface service tcp/udp <real-port-y > <mapped-port-x>

Scenario 2:If IP 94.56.178. 222 is not present on ASA outside interface then:

Create object for public IP and NVR-IP, then configure nat.

object network PUBLIC-IP
host 94.56.178.222

object network NVR-IP
host 10.192.192.100
nat (inside,outside) static PUBLIC-IP service tcp/udp <real-port-y > <mapped-port-x>

Change config as per your requirement .

Thanks,

Rishabh

haider.rizwan · ‎12-13-2014

Hi, I have only single public IP on ASA outside.

NVR is inside with private IP

please advise

Rishabh Seth · ‎12-13-2014

Hi Rizwan,

If you have camera on inside then scenario 1 in my last reply should suffice your requirement.

haider.rizwan · ‎12-13-2014

Hi,

I already have done same config like scenario 1 but it's working.

object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp www 8814

Rishabh Seth · ‎12-13-2014

>>Make sure that you have access-list permitting traffic for NVR camera's private ip and tcp port 8814.

>>What is the packet tracer output for

packet-tracer input OUTSIDE tcp 2.2.2.2 12124 94.56.178.222 80 detailed

Can you paste the packet tracer output?

haider.rizwan · ‎12-13-2014

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.122 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2968e00, priority=0, domain=permit, deny=true
hits=184453, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

haider.rizwan · ‎12-13-2014

Hi,

Just to inform, in my NVR TCP Port 5000 and HTTP Port 8814.

I wants to access NVR with http://WAN-IP:8814/

Rishabh Seth · ‎12-13-2014

object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp 5000 8814

also configure access list to allow tcp 10.192.192.100 5000.

and run packet capture:

packet-tracer in OUTSIDE tcp 100.1.1.1 23542 94.56.178.222 8814 detailed

haider.rizwan · ‎12-13-2014

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.122 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=1148, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Rishabh Seth · ‎12-13-2014

Packet tracer output is showing acl drop because you have entered wrong destination IP in packet tracer command. Use 94.56.178.222 as destination IP.

If you try http://94.56.178.222:8814 then firewall will unat this traffic to 10.192.192.100:5000

Check if the nat works.

object network obj-10.192.192.100
nat (INSIDE,OUTSIDE) static interface service tcp 5000 8814

haider.rizwan · ‎12-13-2014

ASA#

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 94.56.178.222 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa2969000, priority=0, domain=permit, deny=true

hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=OUTSIDE, output_ifc=any

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

please advise

Rishabh Seth · ‎12-14-2014

From the Packet tracer output it looks like UN NAT is not taking place.

Paste your NAT statement here.

haider.rizwan · ‎12-14-2014

!

object network obj-10.192.192.100

host 10.192.192.100

!

object network obj-10.192.192.100

nat (INSIDE,OUTSIDE) static interface service tcp 5000 8814

!

what else i should do? I am totally confused.

thank you for helping

Cisco ASA 5512, IP NVR port forwarding