Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
3
Replies

Port Forwarding ASA 8.6

Go to solution
Viktor S
Level 1
Level 1

‎09-15-2017 06:48 AM - edited ‎02-21-2020 06:18 AM

Hi everyone!

 

I have a problem with port frowarding to my IP camera from internet. My configuration looks good, but the port forwarding doesn't working from Internet. Config is below:

 

Interface GigabitEthernet0/0.666
vlan 666
nameif IPCAM
security-level 100
ip address 10.10.7.129 255.255.255.252

interface GigabitEthernet0/2
nameif outside
security-level 0
ip address xxx.175.123.122 255.255.255.252


object network IPCAM
host 10.10.7.130

object network IPCAM
nat (IPCAM,outside) static interface service tcp 8090 8090

access-list gre_allow extended permit tcp any object IPCAM eq 8090

access-group gre_allow in interface outside

 


FW# packet-tracer input outside tcp 111.11.50.218 8090 xxx.175.123.122 8090

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in xxx.175.123.122 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Version of ASA is 8.6

 

 

Can somebody tell me where is my mistake? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Viktor S
Level 1
Level 1
In response to Viktor S

‎09-24-2017 11:42 PM

Hi everyone!

 

The root cause of the problem was in the nat rules. My manual nat blocked my auto nat, so solve the problem is after-auto in the manual nat command. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎09-15-2017 07:10 AM

Hi,

Try to run the packet tracer again but does not use the Firewall IP address.

Try to use Camera IP address.

packet-tracer input outside tcp 111.11.50.218 8090  10.10.7.130 8090

0 Helpful

Go to solution
Viktor S
Level 1
Level 1
In response to Flavio Miranda

‎09-15-2017 07:15 AM

Hi Flavio!

 

Thanks, for you reply. When i try to use camera's IP address, i get DROP on NAT with rfp-check:

 

FW1# packe input outside tcp 111.11.50.218 8090 10.10.7.130 8090

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.7.128 255.255.255.252 IPCAM

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group gre_allow in interface outside
access-list gre_allow extended permit tcp any host 10.10.7.130 eq 8090
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network IPCAM
nat (IPCAM,outside) static interface service tcp 8090 8090
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: IPCAM
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

0 Helpful

Go to solution
Viktor S
Level 1
Level 1
In response to Viktor S

‎09-24-2017 11:42 PM

Hi everyone!

 

The root cause of the problem was in the nat rules. My manual nat blocked my auto nat, so solve the problem is after-auto in the manual nat command. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card