the local ip would be the dvr right?

Yeah,

Its the real IP address of the host.

The "interface" before it specifies that the IP address of the "outside" interface would be used as the public IP address towards Internet.

If you had a spare public IP address just for this device then you could simply configure

static (inside,outside) netmask 255.255.255.255

- Jouni

so the commands should look similar to this.

static (inside,outside) tcp interface 49003 192.168.5.100 49003 netmask 255.255.255.255

static (inside,outside) tcp interface 40085 192.168.5.100 40085 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any 76.205.230.51 eq 49003

access-list OUTSIDE-IN permit tcp any 76.205.230.51 eq 40085

Yes if the services needed to be forwarded were TCP/49003 and TCP/40085

Remember that if you already have an ACL attached to the "outside" interface then you can use that ACL in the configurations.

IF you have NO ACL attached to the "outside" interface before this then you will also need this command to attach the ACL

access-group OUTSIDE-IN in interface outside

- Jouni

Hi,

To answer the message you sent.

For UDP the "static" commands follow the same logic.

You dont seem to have an ACL in the "outside" interface at the moment so you should be able to add these with your IP address infromation inserted.

static (inside,outside) tcp interface 49003 49003 netmask 255.255.255.255

static (inside,outside) tcp interface 40085 40085 netmask 255.255.255.255

static (inside,outside) udp interface 49003 49003 netmask 255.255.255.255

static (inside,outside) udp interface 40085 40085 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any eq 49003

access-list OUTSIDE-IN permit tcp any eq 40085

access-list OUTSIDE-IN permit udp any eq 49003

access-list OUTSIDE-IN permit udp any eq 40085

access-group OUTSIDE-IN in interface outside

- Jouni

it gave me

Result of firewall command: "static (inside,outside) tcp interface 49003 192.168.4.161 49003 netmask 255.255.255.255"

ERROR: duplicate of existing static

    tcp from inside:192.168.4.161/49003 to outside:76.205.229.61/49003 netmask 255.255.255.255

Usage:          [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Command failed

Result of firewall command: ""

Result of firewall command: "static (inside,outside) tcp interface 40085 192.168.4.161 40085 netmask 255.255.255.255"

ERROR: duplicate of existing static

    tcp from inside:192.168.4.161/40085 to outside:76.205.229.61/40085 netmask 255.255.255.255

Usage:          [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Command failed

Result of firewall command: ""

Result of firewall command: "static (inside,outside) udp interface 49003 192.168.4.161 49003 netmask 255.255.255.255"

Result of firewall command: ""

Result of firewall command: "static (inside,outside) udp interface 40085 192.168.4.161 40085 netmask 255.255.255.255"

Result of firewall command: ""

Result of firewall command: " "

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit tcp any 76.205.229.61 eq 49003"

ERROR: invalid IP address eq

Usage:          [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

Command failed

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit tcp any 76.205.229.61 eq 40085"

ERROR: invalid IP address eq

Usage:          [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

Command failed

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit udp any 76.205.229.61 eq 49003"

ERROR: invalid IP address eq

Usage:          [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

Command failed

Result of firewall command: ""

Result of firewall command: "access-list OUTSIDE-IN permit udp any 76.205.229.61 eq 40085"

ERROR: invalid IP address eq

Usage:          [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list object-group-search

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host

Command failed

Result of firewall command: ""

Result of firewall command: " "

Result of firewall command: ""

Result of firewall command: "access-group OUTSIDE-IN in interface outside"

ERROR: access-list does not exist

Usage:          [no] access-group in interface [per-user-override]

Command failed

i got it thanks!!!!

Hi,

Can you please keep the questions here on the forums.I would prefer everyone see the whole discussion so they might get the help they need also when/if they happen to read the discussion. Naturally if there is some information that is private you can always send that as a message but please keep the questions here on the discussion.

You say that you tested the connections from canyouseeme.org and that you were given the reason that the connection was refused.

This tells us that some device is actively refusing the connection.

Since the firewall now has rules that do the port forward and allow the traffic through with the ACL it might mean that the actual device is refusing the connections. Is there possibly some settings on the actual device in the LAN network that need to be changed to allow connections from remote networks?

To my understanding Cisco firewalls by default let blocked connections timeout rather than refuse/reset them. This would furthermore lead me to believe that the above situation is true. That the actual device in the LAN (or some other device) is blocking the connection and sending a TCP Reset to whoever is trying to connect.

You also asked if this could be applied to other sites. I dont see why not. You fill first have to define the configurations that are needed to make it work. After that I dont see a problem with using the same concept at every site.

Though in your configuration it seemed the other site gets it public IP address through DHCP. Therefore you naturally cant use a public IP address on the ACL as it might change. Unless the ISP has staticly mapped the public IP address to your PIX firewall "outside" interface MAC address.

- Jouni

Let us know if it worked out.

If it did please mark the question as answered

Or if needed ask more

- Jouni