port forward for camera system

travis.carter · ‎07-06-2017

Hi Guys,

Just wondering if i could get some help with setting up a port forward for a camera system using a cisco asa 5506

locally the server IP is 192.168.0.5

the camera system uses port 22609 via local host

i need to be able to access the camera externally via there camera app which requires an address and port to be entered in the app.

i believe the way it should look on the app is http://public ip port:80

I have already entered some config but believe it is wrong.

object network CCTV
host 192.168.0.5

object network externalCCTV
host (Public ip)

access-list OUTSIDE_IN extended permit tcp any object CCTV eq 22609
access-list OUTSIDE_IN extended permit tcp any object externalCCTV eq 22609

nat (any,outside) static interface service tcp 22609 22609

Any assistance would be much appreciated .

GRANT3779 · ‎07-06-2017

object network CCTV
host 192.168.0.5
 
Object NAT would work where w.x.y.z is the public IP you want to use. Or if you only have the outside interface IP available then you will need to replace with the word interface

Object network CCTV
host 192.168.0.5
nat (inside,outside) static w.x.y.z service tcp 22609 22609

access-list OUTSIDE_IN extended permit tcp any object CCTV eq 22609

access-group OUTSIDE_IN in interface outside

travis.carter · ‎07-09-2017

Hi Grant,

i think i will remove all the commands i have in place already and start fresh. After speaking with the camera company further they are saying i need to have

the public ip on port 5550 and have it set to be nat'd internally which the address is 192.168.0.5

i also need to open the following port 22609.

Could you possibly give me an example of a command set to enter to allow the above keeping in mind this will be a clean slate with previous commands above in my first message removed.

much appreciated.

GRANT3779 · ‎07-09-2017

Are they asking for port 5550 and 22609 to both be forwarded?

travis.carter · ‎07-09-2017

Thanks grant, I don't believe so he just said I need to be able to browse to the public ip on port 5500 example http://x.w.y.z:5500

GRANT3779 · ‎07-09-2017

I think the following if I understand you correctly.

object network OBJ_CCTV
host 192.168.0.5

object network OBJ_CCTV_Public
host w.x.y.z

object service OBJ_TCP_22609
service tcp source eq 22609

object service OBJ_TCP_5550
service tcp source eq 5550
 
Note, the nat statements are NOT done under the object. Just in config mode

nat (inside,outside) source static OBJ_CCTV OBJ_CCTV_PUBLIC service OBJ_TCP_22609 OBJ_TCP_22609

nat (inside,outside) source static OBJ_CCTV OBJ_CCTV_PUBLIC service OBJ_TCP_5550 OBJ_TCP_5550

access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV eq 22609

access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV eq 5550

access-group OUTSIDE_IN in interface outside

You could also group the services for neater ACL.

travis.carter · ‎07-09-2017

Hi Grant,

when entering the command ; nat (inside,outside) source static OBJ_CCTV OBJ_CCTV_PUBLIC service OBJ_TCP_22609 OBJ_TCP_22609

i get the following error;

ERROR: Address (public ip) overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

GRANT3779 · ‎07-09-2017

Ok didn't realise you only have 1 public ip (outside).

Try following using object NAT

object network OBJ_CCTV_22609
host 192.168.0.5

object network OBJ_CCTV_5550
host 192.168.0.5

object service OBJ_TCP_22609
service tcp source eq 22609

object service OBJ_TCP_5550
service tcp source eq 5550

object network OBJ_CCTV_22609
nat (inside,outside) static Interface service OBJ_TCP_22609 OBJ_TCP_22609

object network OBJ_CCTV_5550
nat (inside,outside) static Interface service OBJ_TCP_5550 OBJ_TCP_5550

access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV_22609 eq 22609

access-list OUTSIDE_IN extended permit tcp any object OBJ_CCTV_22609 eq 5550

access-group OUTSIDE_IN in interface outside

travis.carter · ‎07-09-2017

Hi Grant,

when entering object network OBJ_CCTV_22609
nat (inside,outside) static Interface service OBJ_TCP_22609 OBJ_TCP_22609

i can only put the command in to the point of interface service but not the

OBJ_TCP_22609 OBJ_TCP_22609 part

after that i have the options Sctp TCP or udp

i have attached two screen shots to show you what i mean. Thanks again.

GRANT3779 · ‎07-10-2017

In this case I think the following would work -

object network OBJ_CCTV_22609
host 192.168.0.5
nat(inside,outside) static interface service tcp 22609 22609

object network OBJ_CCTV_5550
host 192.168.0.5
nat(inside,outside) static interface service tcp 5550 5550

travis.carter · ‎07-10-2017

Hi Grant,

after adding the commands i still cannot seem to browse via public on the required port.

Not sure what else it could be. Do you happen to use skype might be easier to communicate if you have time to further assist would be much appreciated.

GRANT3779 · ‎07-10-2017

Can you post outputs of

show nat

Also the config as it stands?

(I assume that you have something listening on ports 5550 and 22609 on your internal server? Can you access them internally?

Is it definately port forwarding you require?)

travis.carter · ‎07-10-2017

Hi Grant,

i have attached the config and nat output, also the system information of the camera system which shows its using the local host and port 22609. I tried locally accessing the address with the public ip and ports and could not resolve either.

Thanks again.

GRANT3779 · ‎07-11-2017

I think you may need to add a manual NAT (section 1) and I would put the preference so it is first NAT hit.

From your config it looks to me like the camera address is being NATd higher up.

I am hoping one of the ASA experts can add their thoughts / guidance on here

GRANT3779 · ‎07-11-2017

The address you have given for the camera was 192.168.0.5? Does this sit behind the Data network from what I can see by your interfaces IP addresses.

Your nat statement however is saying nat (dmz, outside).