01-15-2013 12:23 PM - edited 03-11-2019 05:47 PM
I recently installed an ASA 5505 at a small business, to separate their wired business network from their employee WIFI access. Soon after the firewall installation was complete the office manager had a security camera system installed. The security camera system has a web access feature and asked me setup access though the firewall, so he can view the security system from his smart phone.
The camera system is located on the Vlan1 (inside) and is assigned a static IP of 192.168.017.040 the web interface is accessed via tcp port 100. The ASA 5505 connects to the web using PPPoe to obtain a static IP, through an ISP provided DSL modem set to “Transparent Bridging”. After a few weeks of research and trying different configuration settings the connection still does not work. I have included the current configuration below. Any advice/instruction on what I’m doing wrong would be greatly appreciated.
Thank you,
Will
: Saved
:
ASA Version 8.2(5)
!
hostname **********ASA5505
enable password ****************** encrypted
passwd ************* encrypted
names
name 192.168.17.2 Cam-srv description **************
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.17.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group *************
ip address pppoe setroute
!
interface Vlan5
no forward interface Vlan1
nameif DMZwireless
security-level 50
ip address 192.168.50.1 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZwireless
dns server-group DefaultDNS
name-server 64.91.3.46
name-server 208.54.220.20
access-list DMZwireless_nat0_outbound extended permit ip any interface outside
access-list outside_access_in extended permit tcp any interface outside eq 100
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any host 192.168.17.40 eq 100
access-list inside_access_out extended permit tcp any host 192.168.17.40
access-list inside_access_out extended permit icmp any host 192.168.17.40
access-list inside_access_out extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZwireless 1500
ip local pool ************* 192.168.17.200-192.168.17.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZwireless) 0 access-list DMZwireless_nat0_outbound
nat (DMZwireless) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.17.40 192.168.17.40 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.17.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group centurylink.net request dialout pppoe
vpdn group ************ localname *******
vpdn group ************ ppp authentication pap
vpdn username *********** password *****
vpdn username *********** password *****
dhcpd auto_config outside
!
dhcpd address 192.168.17.110-192.168.17.141 inside
dhcpd dns 64.91.3.46 208.54.220.20 interface inside
dhcpd wins Cam-srv interface inside
dhcpd enable inside
!
dhcpd address 192.168.50.2-192.168.50.33 DMZwireless
dhcpd auto_config outside interface DMZwireless
dhcpd enable DMZwireless
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy ************** internal
group-policy ************** attributes
wins-server value 192.168.17.2
dns-server value 64.91.3.46 208.54.220.20
vpn-tunnel-protocol IPSec svc webvpn
default-domain none
username ********* password *********** encrypted privilege 0
username ************ attributes
vpn-group-policy ***********
tunnel-group ************ type remote-access
tunnel-group ************ general-attributes
address-pool ***********
default-group-policy ************
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a0d82f12d37070c836713ccfd930b7bb
: end
asdm location Cam-srv 255.255.255.255 inside
no asdm history enable
Solved! Go to Solution.
01-15-2013 12:58 PM
Hello Will,
Here is what you need to do:
no static (inside,outside) 192.168.17.40 192.168.17.40 netmask 255.255.255.255
static (inside,outside) tcp interface 100 192.168.17.40 100
Let me know how it goes
01-15-2013 12:58 PM
Hello Will,
Here is what you need to do:
no static (inside,outside) 192.168.17.40 192.168.17.40 netmask 255.255.255.255
static (inside,outside) tcp interface 100 192.168.17.40 100
Let me know how it goes
01-21-2013 09:41 AM
jcarvaja,
Your solution fixed my issue, thank you for the tip.
Will
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide