09-04-2012 01:51 AM - edited 03-11-2019 04:49 PM
Hey,
I have my ASA configured with Static PAT commands. Currently there are 6 DVR machines in my organization with different IP Addresses 192.168.8.1 - 192.168.8.6 and port used by all DVR is 8000
I have a requirement to make these DVR able on Internet for management purpose. Right now i am using below command for DVR static PAT
Static (inside,outside) tcp interface 8000 192.168.8.1 8000 netmask 255.255.255.255
Now my query is that how can i use port 8000 with all the Static PAT to be used for DVR Access with different IP addresses
Secondly, when i try to hit http://111.119.x.x:8000 from internet i got error The Page Cannot be delayed.
09-04-2012 02:20 AM
First question, you can't. You can't configure static PAT with same port going to different destination internal server with the same public IP because the ASA won't know which internal server to connect to since it's all the same port.
Can you change the management port on the DVR so each DVR will have different management port? If you can then you can configure static PAT for different server as follows:
static (inside,outside) tcp interface 8002 192.168.8.2 8002 netmask 255.255.255.255
static (inside,outside) tcp interface 8003 192.168.8.3 8003 netmask 255.255.255.255
static (inside,outside) tcp interface 8004 192.168.8.4 8004 netmask 255.255.255.255
static (inside,outside) tcp interface 8005 192.168.8.5 8005 netmask 255.255.255.255
static (inside,outside) tcp interface 8006 192.168.8.6 8006 netmask 255.255.255.255
Second question, have you configured access-list on the outside and apply it to allow the access?
It should be something like this:
access-list outside-acl permit tcp any interface outside eq 8000
access-group outside-acl in interface outside
Hope that helps.
09-04-2012 03:31 AM
It will not be possible for me to change the management ports of all the DVR's. As for DVR local access we use port 8000 for all the DVR's.
secondly, i have created these ACL's which are currently working on my device
access-list 201 extended permit ip any any
access-list 201 extended permit tcp any host 111.119.x.x eq https inactive
access-list inside1_access_in extended permit ip any any
access-group 201 in interface outside
access-group inside1_access_in in interface inside1 access-group 201 in interface outside
access-group inside1_access_in in interface inside1
09-04-2012 03:57 AM
Hi,
Is it not possibel to assign access to the DVRs like:-
DVR1 - http://111.119.x.x:8000 internally mapped to lets say 192.168.8.1 port 8000
DVR2 - http://111.119.x.x:8001 internally mapped to lets say 192.168.8.2 port 8000
DVR3 - http://111.119.x.x:8002 internally mapped to lets say 192.168.8.3 port 8000
DVR4 - http://111.119.x.x:8003 internally mapped to lets say 192.168.8.4 port 8000
DVR5 - http://111.119.x.x:8004 internally mapped to lets say 192.168.8.5 port 8000
DVR6 - http://111.119.x.x:8005 internally mapped to lets say 192.168.8.6 port 8000
So you need to create the respective statics like:-
static (inside,outside) tcp interface 8000 192.168.8.2 8000 netmask 255.255.255.255
static (inside,outside) tcp interface 8001 192.168.8.3 8001 netmask 255.255.255.255
so on.
So for each DVR, when you access from outside, use the same public IP but differnet port numbers.
1) What version of ASA do you use?
2) For the existing acl/static do you see any hit counts (you can also check via ASDM)
3) Are you able to manage the DVR internally from the LAN like http://192.168.8.1:8000
4) Is there proper route on ASA to the 192.168.8.0/24 networks.
Regards
PG
09-04-2012 04:20 AM
Locally i access my DVR from browser http://192.168.8.1 it then prompts me for the username , password and port is already written as 8000
ASA version 8.0(4)
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 1; 1 elements
access-list inside_nat0_outbound; 3 elements
access-list 201; 2 elements
access-list 201 line 1 extended permit ip any any (hitcnt=181687) 0x4ba4f902
access-list 201 line 2 extended permit tcp any host 111.119.x.x eq https inac
tive (hitcnt=0) (inactive) 0x0a72fc63
access-list inside1_access_in; 1 elements
access-list inside1_access_in line 1 extended permit ip any any (hitcnt=4294) 0x
12c05c66
No i didnt defined any networks with 192.168.8.0/24
09-04-2012 04:39 AM
Hi,
Are you able to ping from ASA to the DVR?
IS the DVR configured with a default gateway?
Make sure that IP reachability from ASA to DVRs are OK, for which you need to have routes i.e. (route commands_ on the ASA unless the ASA inside ip is 192.168.8.0/24.
Do you happen to have a free public IP by any chance just for test purposes, so that instead of "interface" we could possibly use that IP?
The access list is as IP any any so we cannot see hits for specific IP. It would be better if you could log into ASDM and then ask someone access the DVR via public IP from outside and see what exactly happens in ASDM
Regards
PG
09-04-2012 05:32 AM
Sonugnair wrote:
Hi,
Are you able to ping from ASA to the DVR? YES
IS the DVR configured with a default gateway? YES
Make sure that IP reachability from ASA to DVRs are OK, for which you need to have routes i.e. (route commands_ on the ASA unless the ASA inside ip is 192.168.8.0/24. PING IS WORKING FROM ASA TO DVR
Do you happen to have a free public IP by any chance just for test purposes, so that instead of "interface" we could possibly use that IP? NO I DONT HAVE ONE
The access list is as IP any any so we cannot see hits for specific IP. It would be better if you could log into ASDM and then ask someone access the DVR via public IP from outside and see what exactly happens in ASDM.... I AM ALSO USING SYSLOG SERVER.. PLEASE FIND BELOW LOG
Regards
PG
09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523584 for outside:180.92.x.x/35012 (111.119.x.x/35012) to inside1:192.168.8.1/8000 (111.119.x.x/8000)
09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523583 for outside:180.92.x.x/35011 (111.119.x.x/35011) to inside1:192.168.8.1/8000 (111.119.x.x/8000)
09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523584 for outside:180.92.x.x/35012 (111.119.x.x/35012) to inside1:192.168.8.1/8000 (111.119.x.x/8000)
09-04-2012 15:47:03 Local4.Info 192.168.3.50 %ASA-6-302013: Built inbound TCP connection 1523583 for outside:180.92.x.x/35011 (111.119.x.x/35011) to inside1:192.168.8.1/8000 (111.119.x.x/8000)
09-04-2012 07:17 AM
Hi,
It seems the firewall is allowing as per the acl/static.
Are you sure that only port 8000 needs to be opened? How about any UDP ports?
Any other 'deny' logs in the syslog corresponding to this service?
If you have documentation from the DVR vendor, they might have a listing of the ports that are required to be opened on the firewall.
Regards.
PG
09-07-2012 04:59 AM
Sonugnair,
can i access multiple LAN IP's through a single public IP and add its static PAT in ASA
Public IP
Currently using this IP through Static PAT
192.168.2.32
Local IP which i want to use. All will be using port 80
192.168.8.x
192.168.2.34
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide