07-06-2017 03:25 PM - edited 03-12-2019 02:40 AM
Hi Guys,
Just wondering if i could get some help with setting up a port forward for a camera system using a cisco asa 5506
locally the server IP is 192.168.0.5
the camera system uses port 22609 via local host
i need to be able to access the camera externally via there camera app which requires an address and port to be entered in the app.
i believe the way it should look on the app is http://public ip port:80
I have already entered some config but believe it is wrong.
object network CCTV
host 192.168.0.5
object network externalCCTV
host (Public ip)
access-list OUTSIDE_IN extended permit tcp any object CCTV eq 22609
access-list OUTSIDE_IN extended permit tcp any object externalCCTV eq 22609
nat (any,outside) static interface service tcp 22609 22609
Any assistance would be much appreciated .
07-06-2017 11:34 PM
object network CCTV
host 192.168.0.5
Object NAT would work where w.x.y.z is the public IP you want to use. Or if you only have the outside interface IP available then you will need to replace with the word interface
Object network CCTV
host 192.168.0.5
nat (inside,outside) static w.x.y.z service tcp 22609 22609
access-list OUTSIDE_IN extended permit tcp any object CCTV eq 22609
access-group OUTSIDE_IN in interface outside
07-09-2017 04:23 AM
Hi Grant,
i think i will remove all the commands i have in place already and start fresh. After speaking with the camera company further they are saying i need to have
the public ip on port 5550 and have it set to be nat'd internally which the address is 192.168.0.5
i also need to open the following port 22609.
Could you possibly give me an example of a command set to enter to allow the above keeping in mind this will be a clean slate with previous commands above in my first message removed.
much appreciated.
07-09-2017 04:50 AM
Are they asking for port 5550 and 22609 to both be forwarded?
07-09-2017 06:07 AM
Thanks grant, I don't believe so he just said I need to be able to browse to the public ip on port 5500 example http://x.w.y.z:5500
07-09-2017 05:09 AM
I think the following if I understand you correctly.
object network OBJ_CCTV
host 192.168.0.5
object network OBJ_CCTV_Public
host w.x.y.z
object service OBJ_TCP_22609
service tcp source eq 22609
object service OBJ_TCP_5550
service tcp source eq 5550
Note, the nat statements are NOT done under the object. Just in config mode
nat (inside,outside) source static OBJ_CCTV OBJ_CCTV_PUBLIC service OBJ_TCP_22609 OBJ_TCP_22609
nat (inside,outside) source static OBJ_CCTV OBJ_CCTV_PUBLIC service OBJ_TCP_5550 OBJ_TCP_5550
access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV eq 22609
access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV eq 5550
access-group OUTSIDE_IN in interface outside
You could also group the services for neater ACL.
07-09-2017 04:39 PM
Hi Grant,
when entering the command ; nat (inside,outside) source static OBJ_CCTV OBJ_CCTV_PUBLIC service OBJ_TCP_22609 OBJ_TCP_22609
i get the following error;
ERROR: Address (public ip) overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
07-09-2017 07:28 PM
Ok didn't realise you only have 1 public ip (outside).
Try following using object NAT
object network OBJ_CCTV_22609
host 192.168.0.5
object network OBJ_CCTV_5550
host 192.168.0.5
object service OBJ_TCP_22609
service tcp source eq 22609
object service OBJ_TCP_5550
service tcp source eq 5550
object network OBJ_CCTV_22609
nat (inside,outside) static Interface service OBJ_TCP_22609 OBJ_TCP_22609
object network OBJ_CCTV_5550
nat (inside,outside) static Interface service OBJ_TCP_5550 OBJ_TCP_5550
access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV_22609 eq 22609
access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV_22609 eq 5550
access-group OUTSIDE_IN in interface outside
07-09-2017 11:08 PM
Hi Grant,
when entering object network OBJ_CCTV_22609
nat (inside,outside) static Interface service OBJ_TCP_22609 OBJ_TCP_22609
i can only put the command in to the point of interface service but not the
OBJ_TCP_22609 OBJ_TCP_22609 part
after that i have the options Sctp TCP or udp
i have attached two screen shots to show you what i mean. Thanks again.
07-10-2017 12:50 AM
In this case I think the following would work -
object network OBJ_CCTV_22609
host 192.168.0.5
nat(inside,outside) static interface service tcp 22609 22609
object network OBJ_CCTV_5550
host 192.168.0.5
nat(inside,outside) static interface service tcp 5550 5550
07-10-2017 04:06 AM
Hi Grant,
after adding the commands i still cannot seem to browse via public on the required port.
Not sure what else it could be. Do you happen to use skype might be easier to communicate if you have time to further assist would be much appreciated.
07-10-2017 04:33 AM
Can you post outputs of
show nat
Also the config as it stands?
(I assume that you have something listening on ports 5550 and 22609 on your internal server? Can you access them internally?
Is it definately port forwarding you require?)
07-10-2017 08:08 PM
Hi Grant,
i have attached the config and nat output, also the system information of the camera system which shows its using the local host and port 22609. I tried locally accessing the address with the public ip and ports and could not resolve either.
Thanks again.
07-11-2017 08:47 AM
I think you may need to add a manual NAT (section 1) and I would put the preference so it is first NAT hit.
From your config it looks to me like the camera address is being NATd higher up.
I am hoping one of the ASA experts can add their thoughts / guidance on here
07-11-2017 01:18 AM
The address you have given for the camera was 192.168.0.5? Does this sit behind the Data network from what I can see by your interfaces IP addresses.
Your nat statement however is saying nat (dmz, outside).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide