09-15-2017 06:48 AM - edited 02-21-2020 06:18 AM
Hi everyone!
I have a problem with port frowarding to my IP camera from internet. My configuration looks good, but the port forwarding doesn't working from Internet. Config is below:
Interface GigabitEthernet0/0.666
vlan 666
nameif IPCAM
security-level 100
ip address 10.10.7.129 255.255.255.252
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address xxx.175.123.122 255.255.255.252
object network IPCAM
host 10.10.7.130
object network IPCAM
nat (IPCAM,outside) static interface service tcp 8090 8090
access-list gre_allow extended permit tcp any object IPCAM eq 8090
access-group gre_allow in interface outside
FW# packet-tracer input outside tcp 111.11.50.218 8090 xxx.175.123.122 8090
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in xxx.175.123.122 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Version of ASA is 8.6
Can somebody tell me where is my mistake?
Solved! Go to Solution.
09-24-2017 11:42 PM
Hi everyone!
The root cause of the problem was in the nat rules. My manual nat blocked my auto nat, so solve the problem is after-auto in the manual nat command.
09-15-2017 07:10 AM
Hi,
Try to run the packet tracer again but does not use the Firewall IP address.
Try to use Camera IP address.
packet-tracer input outside tcp 111.11.50.218 8090 10.10.7.130 8090
09-15-2017 07:15 AM
Hi Flavio!
Thanks, for you reply. When i try to use camera's IP address, i get DROP on NAT with rfp-check:
FW1# packe input outside tcp 111.11.50.218 8090 10.10.7.130 8090
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.7.128 255.255.255.252 IPCAM
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group gre_allow in interface outside
access-list gre_allow extended permit tcp any host 10.10.7.130 eq 8090
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network IPCAM
nat (IPCAM,outside) static interface service tcp 8090 8090
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: IPCAM
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
09-24-2017 11:42 PM
Hi everyone!
The root cause of the problem was in the nat rules. My manual nat blocked my auto nat, so solve the problem is after-auto in the manual nat command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide