Solved: Hi, I put on the top with - Page 2

haider.rizwan · ‎12-11-2014

Hi,

i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.

please help me how to configure port forwarding in cisco asa in CLI?

I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100

thank you so much.

Rishabh Seth · ‎12-14-2014

Hi Rizwan,

Just to confirm requirement:

1. What is the IP on outside interface.

2. What is the port and and IP of nvr cam.

3. What is the mapped IP and port.

4. What is the packet tracer command which you are entering to test config.

haider.rizwan · ‎12-14-2014

Hi Rishabh,

sorry, i was just hiding real IP address due to client restriction. :-(

here is the reply with real IP please help to resolve it.

Outside IP: 94.56.178.102

NVR IP: 10.171.192.10, HTTP port: 8814, TCP port: 5000, RTSP port: 554

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.102 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=17629, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you so much

Rishabh Seth · ‎12-14-2014

refer this article:

https://rowell.dionicio.net/configuring-nat-for-a-public-server-using-same-outside-interface/

Rishabh Seth · ‎12-14-2014

you can try this,

NVR IP: 10.171.192.10, HTTP port: 8814, TCP port: 5000, RTSP port: 554

object network NVR_IP
host 10.171.192.10

object service NVR-8814
service tcp destination eq 8814

object service NVR-5000
service tcp destination eq 5000

object service NVR-554
service tcp destination eq 554

nat (inside,outside) source static NVR_IP interface service NVR-8814 NVR-8814
nat (inside,outside) source static NVR_IP interface service NVR-5000 NVR-5000
nat (inside,outside) source static NVR_IP interface service NVR-554 NVR-554

haider.rizwan · ‎12-14-2014

Sir,

No luck. it's not working.

now i changed HTTP port to 54321 to test but both http ports (8814 & 54321) are not accessible. locally (LAN) i access NVR with http://10.171.192.10:54321 and it's fine in LAN.

any advise.

Rishabh Seth · ‎12-14-2014

There can be a possibility that you have manual NAT before these object NAT statement.

Try to put those statement after object NAT and check.

To place the manual nat after object nat use "after-source" command in manual nat config.

haider.rizwan · ‎12-15-2014

nat (INSIDE,OUTSIDE) after-auto source static NVR_IP interface service NVR-5000 NVR-5000

nat (INSIDE,OUTSIDE) after-auto source static NVR_IP interface service NVR-554 NVR-554

nat (INSIDE,OUTSIDE) after-auto source static NVR_IP interface service NVR-54321 NVR-54321

clear xlate

I put these command but didn't worked. :-(

Rishabh Seth · ‎12-15-2014

put these on top and check

nat (inside,outside) source static NVR_IP interface service NVR-8814 NVR-8814
nat (inside,outside) source static NVR_IP interface service NVR-5000 NVR-5000
nat (inside,outside) source static NVR_IP interface service NVR-554 NVR-554

haider.rizwan · ‎12-15-2014

Hi,

I put on the top with sequence numbers and now these are on the top but still not working. please note i am using 54321 port instead of 8814.

nat (inside,outside) 1 source static NVR_IP interface service NVR-8814 NVR-54321
nat (inside,outside) 2 source static NVR_IP interface service NVR-5000 NVR-5000
nat (inside,outside) 3 source static NVR_IP interface service NVR-554 NVR-554

Cisco ASA 5512, IP NVR port forwarding