10-15-2016 06:55 PM - edited 03-12-2019 01:24 AM
Hello,
I have a Cisco ASA 5505 Firewall I need some help with. I have 2 cameras set up on my inside network that I need access to from my outside network. I setup the NAT rules from outside to inside along with the access list to allow traffic. Everything works fine as long as I'm not on my internal network. When I'm on my internal work it doesn't work. I need to set it up so I can use my external IP for both internal and external use. Doing some research I think I need to use hairpinning? I have tried setting it up but not having much luck. Can someone help me with the config needed for hairpinning? I can post my config if needed. Thank you for any help on this issue.
Solved! Go to Solution.
03-11-2017 09:03 AM
Yes, and since you need access on 2 destination ports, you can 2 of these statements with 2 different port numbers - one real and other mapped.
nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port
nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1
'any' will be your inside network 192.168.1.0/x
obj-real = 192.168.1.200
obj-map = x.x.x.x
MAPPED_port = first mapped port on which access is needed
MAPPED_port1 = second port on which access is needed
REAL_port1 - is the actual port on which server is listening
If you dont have a second destination port, you can just add one statement.
HTH
-
AJ
10-16-2016 12:48 AM
Hi,
Are you using same-security-traffic permit intra-interface command on the ASA ?
Also please share the config snippet that you have used for the
Please share the packet tracer output for the inside traffic as well.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
10-18-2016 02:10 PM
10-18-2016 09:46 PM
Hi,
Please share the output of packet tracer output for the concerned traffic.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
10-21-2016 07:36 PM
10-21-2016 10:13 PM
Hi,
It gives an ACL drop but you already have enabled same-security command.
So could you check if you have a NAT statement configured for the traffic.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
10-22-2016 05:28 PM
10-25-2016 12:15 PM
Don't have any config to take a look at, but you could try editing your hairpin NAT rule:
nat (inside,inside) source static <inside_client_ip> <inside_client_ip> destination static <outside_camera_ip> <inside_camera_ip>
12-10-2016 07:46 AM
niko,
Can i use <any> for my client IP? I want any inside address to be able to access cameras. i can attach my running config if that helps?
Thank you
12-10-2016 09:33 AM
So i got part of it figured it I have one camera working but the other still doesn't work. I think the reason is i have to use <any> Service to get it to work. Since i have to use my outside interface for the destination on both Im thinking the service port will determine which NAT rule to use.With <any> service port the first NAT rule accepts and it never makes it to the next rule. therefore the 2nd camera never gets permitted.I change the order of the NAT rules and the other camera starts working. If i change the service to the port I'm using instead of <any> the camera quits working. Any idea what causes this?
12-12-2016 02:00 AM
Can you please share the 2 NAT statements that you add when using 'port' instead of 'any' in (inside,inside) nat statement. Also, please attach the syslogs you see when none of the camera works.
We have to use port based NAT statement coz if we use 'any', as you correctly figured out, only first nat will be honored and second will never be matched.
Also, I would recommend using PATing the inside user to inside interface ip address so that reply packet comes to ASA interace and the traffic flow is symmetric.
something like below:
nat (inside,inside) source static <inside_client_ip> <inside interace ip> ...*************
-
AJ
12-15-2016 10:08 AM
12-15-2016 10:12 AM
12-17-2016 10:10 PM
Hello,
The screenshot didn't help much. I am used to CLI anyways.. Could you please have 2 NAT statements as below:
nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port REAL_port
nat (inside,inside) source dynamic any interface destination static obj-map obj-real service MAPPED_port1 REAL_port1
Add this for 2 different destination ports as requirement. you can follow the below doc which has the same example:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html
Remember, the only way it can work is to make either of the things unique - source address, dest addr or source port or dest port. Unfortunately, the only thing we can utilize is dest port. Please try in a maintenace window and let us know if it works.
-
AJ
03-04-2017 05:49 PM
AJ,
I don't quite understand the twice NAT? Can you explain and post an example?
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: