Re: DVR Access through ASA from Outside

srsiddiqui2007 · ‎09-04-2012

Hey,

I have my ASA configured with Static PAT commands. Currently there are 6 DVR machines in my organization with different IP Addresses 192.168.8.1 - 192.168.8.6 and port used by all DVR is 8000

I have a requirement to make these DVR able on Internet for management purpose. Right now i am using below command for DVR static PAT

Static (inside,outside) tcp interface 8000 192.168.8.1 8000 netmask 255.255.255.255

Now my query is that how can i use port 8000 with all the Static PAT to be used for DVR Access with different IP addresses

Secondly, when i try to hit http://111.119.x.x:8000 from internet i got error The Page Cannot be delayed.

Jennifer Halim · ‎09-04-2012

First question, you can't. You can't configure static PAT with same port going to different destination internal server with the same public IP because the ASA won't know which internal server to connect to since it's all the same port.

Can you change the management port on the DVR so each DVR will have different management port? If you can then you can configure static PAT for different server as follows:

static (inside,outside) tcp interface 8002 192.168.8.2 8002 netmask 255.255.255.255

static (inside,outside) tcp interface 8003 192.168.8.3 8003 netmask 255.255.255.255

static (inside,outside) tcp interface 8004 192.168.8.4 8004 netmask 255.255.255.255

static (inside,outside) tcp interface 8005 192.168.8.5 8005 netmask 255.255.255.255

static (inside,outside) tcp interface 8006 192.168.8.6 8006 netmask 255.255.255.255

Second question, have you configured access-list on the outside and apply it to allow the access?

It should be something like this:

access-list outside-acl permit tcp any interface outside eq 8000

access-group outside-acl in interface outside

Hope that helps.

srsiddiqui2007 · ‎09-04-2012

It will not be possible for me to change the management ports of all the DVR's. As for DVR local access we use port 8000 for all the DVR's.

secondly, i have created these ACL's which are currently working on my device

access-list 201 extended permit ip any any

access-list 201 extended permit tcp any host 111.119.x.x eq https inactive

access-list inside1_access_in extended permit ip any any

access-group 201 in interface outside

access-group inside1_access_in in interface inside1 access-group 201 in interface outside
access-group inside1_access_in in interface inside1

Sonugnair_2 · ‎09-04-2012

Hi,

Is it not possibel to assign access to the DVRs like:-

DVR1 - http://111.119.x.x:8000 internally mapped to lets say 192.168.8.1 port 8000

DVR2 - http://111.119.x.x:8001 internally mapped to lets say 192.168.8.2 port 8000

DVR3 - http://111.119.x.x:8002 internally mapped to lets say 192.168.8.3 port 8000

DVR4 - http://111.119.x.x:8003 internally mapped to lets say 192.168.8.4 port 8000

DVR5 - http://111.119.x.x:8004 internally mapped to lets say 192.168.8.5 port 8000

DVR6 - http://111.119.x.x:8005 internally mapped to lets say 192.168.8.6 port 8000

So you need to create the respective statics like:-

static (inside,outside) tcp interface 8000 192.168.8.2 8000 netmask 255.255.255.255

static (inside,outside) tcp interface 8001 192.168.8.3 8001 netmask 255.255.255.255

so on.

So for each DVR, when you access from outside, use the same public IP but differnet port numbers.

1) What version of ASA do you use?

2) For the existing acl/static do you see any hit counts (you can also check via ASDM)

3) Are you able to manage the DVR internally from the LAN like http://192.168.8.1:8000

4) Is there proper route on ASA to the 192.168.8.0/24 networks.

Regards

PG

srsiddiqui2007 · ‎09-04-2012

Locally i access my DVR from browser http://192.168.8.1 it then prompts me for the username , password and port is already written as 8000

ASA version 8.0(4)

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list 1; 1 elements

access-list inside_nat0_outbound; 3 elements

access-list 201; 2 elements

access-list 201 line 1 extended permit ip any any (hitcnt=181687) 0x4ba4f902

access-list 201 line 2 extended permit tcp any host 111.119.x.x eq https inac

tive (hitcnt=0) (inactive) 0x0a72fc63

access-list inside1_access_in; 1 elements

access-list inside1_access_in line 1 extended permit ip any any (hitcnt=4294) 0x

12c05c66

No i didnt defined any networks with 192.168.8.0/24

Sonugnair_2 · ‎09-04-2012

Hi,

Are you able to ping from ASA to the DVR?

IS the DVR configured with a default gateway?

Make sure that IP reachability from ASA to DVRs are OK, for which you need to have routes i.e. (route commands_ on the ASA unless the ASA inside ip is 192.168.8.0/24.

Do you happen to have a free public IP by any chance just for test purposes, so that instead of "interface" we could possibly use that IP?

The access list is as IP any any so we cannot see hits for specific IP. It would be better if you could log into ASDM and then ask someone access the DVR via public IP from outside and see what exactly happens in ASDM

Regards

PG

srsiddiqui2007 · ‎09-04-2012

Sonugnair wrote:
Hi,
Are you able to ping from ASA to the DVR? YES
IS the DVR configured with a default gateway? YES
Make sure that IP reachability from ASA to DVRs are OK, for which you need to have routes i.e. (route commands_ on the ASA unless the ASA inside ip is 192.168.8.0/24. PING IS WORKING FROM ASA TO DVR
Do you happen to have a free public IP by any chance just for test purposes, so that instead of "interface" we could possibly use that IP? NO I DONT HAVE ONE
The access list is as IP any any so we cannot see hits for specific IP. It would be better if you could log into ASDM and then ask someone  access the DVR via public IP from outside and see what exactly happens in ASDM.... I AM ALSO USING SYSLOG SERVER.. PLEASE FIND BELOW LOG
Regards
PG

09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523584 for outside:180.92.x.x/35012 (111.119.x.x/35012) to inside1:192.168.8.1/8000 (111.119.x.x/8000)

09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523583 for outside:180.92.x.x/35011 (111.119.x.x/35011) to inside1:192.168.8.1/8000 (111.119.x.x/8000)

09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523584 for outside:180.92.x.x/35012 (111.119.x.x/35012) to inside1:192.168.8.1/8000 (111.119.x.x/8000)

09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523583 for outside:180.92.x.x/35011 (111.119.x.x/35011) to inside1:192.168.8.1/8000 (111.119.x.x/8000)

Sonugnair_2 · ‎09-04-2012

Hi,

It seems the firewall is allowing as per the acl/static.

Are you sure that only port 8000 needs to be opened? How about any UDP ports?

Any other 'deny' logs in the syslog corresponding to this service?

If you have documentation from the DVR vendor, they might have a listing of the ports that are required to be opened on the firewall.

Regards.

PG

srsiddiqui2007 · ‎09-07-2012

Sonugnair,

can i access multiple LAN IP's through a single public IP and add its static PAT in ASA

Public IP

http://111.119.x.x

Currently using this IP through Static PAT

192.168.2.32

Local IP which i want to use. All will be using port 80

192.168.8.x

192.168.2.34