cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7065
Views
14
Helpful
9
Replies

Setup ASA 5505 Access or NAT Rules to Inside Server/IP Cam

siriussystems
Level 1
Level 1

I'm having trouble setting up the correct rules on an ASA 5505 I'm using in my home office.  I have a couple of IP Cams I need to access remotely.

I've tried setting up simple NAT(PAT) and/or Access Rules, but it hasn't worked.  I have a single dynamic IP for the Outside interface.  Call it 77.76.88.10 and I am using PAT.  The CAM is setup to connect on port 80, but could be configured if necessary.  I've tried setting up NAT Rules using ASDM as follows:

Match Criteria: Original Packet

Source Intf = outside

Dest Intf = inside

Source = any

Destination = CAM (which was defined as 192.168.xx.xx)

Service = Cam Service Obj which was defined as a TCP service on Destination Port/Range = 80, Source Port/Range = 14140 (a unique port to use from Internet)

Action: Translated Packet

Source = Inside (P)

Destination = --Original--

Service = --Original--

What am I missing?  I'm afraid to use CLI only because I am not confident I'll know how to remove changes if I make a mistake.

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello.

Please share show run Nat?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here is show run nat

SiriusASA(config)# show run nat

nat (outside,inside) source dynamic any interface destination static LVNGCAM LVNGCAM service 13130-80 13130-80

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

Do I need to creat Access Rules as well?

Hello Armand,

Yes, and ACL is necessary

access-list outside_in permit tcp any host 192.168.x.x eq 80

access-group outside_in in interface outside

Let me know if this does it, if not then we will need to work on the nat rule

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok, so I added the access-list

access-list outside_in extended permit tcp any host 192.168.13.13 eq www

access-list outside_in extended permit tcp any host 192.168.13.13 eq 13130

13130 is the port that I have also configured the cam to accept connections from.  http/80 is also working while I diagnose.

I can't access from internet, only LAN.  I'm testing outside connections from a 4G mobile to eliminate loopback issues.

Maybe my NAT Rules are bad.  I'm a bit uncertain if I've set up the Service correctly.  I have TCP and I'm using Source Port 13130 and Destination Port 80 in an attempt to do port translation.  I could do 13130 on both sides Source and Destination, but I may be doing it all wrong.  I'd like to make sense of the ASMN UI, eventhough we all probably agree CLI commands practically make more sense.

Hello Armand,

Yes, I do not like the nat you have in there,

Please use the following:

object network Inside_cam

host 192.168.xx.xx

object service http

service tcp source eq 80

object service cam_13130

service tcp source eq 13130

nat (inside,outside) 1 source static Inside_cam interface service cam_13130 cam_13130

nat (inside,outside) 2 source static Inside_cam interface service http http

Of course remove the one you had first,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for the guidance.  Unfortunately it still isn't working.  Packet Trace in ASDM shows that access from some known WAN IP address on port 13130 would fail as is also my experience.

It is working on port 80/http eventhough ASDM Packet trace also indicates it would fail. 

I'm confused as I thought we had NAT rules for both ports.  I really only want the obscure high port 13130 to work as I have other inside devices I will need to open similar "pinholes" for.  Do you see anything that is wrong in the below show run nat or show run access-list?

SiriusASA(config)# show run nat

nat (inside,outside) source static Inside_Lcam interface service Lcam_13130 Lcam_13130

nat (inside,outside) source static Inside_Lcam interface service http http

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

SiriusASA(config)# show run access-list

access-list outside_in extended permit tcp any host 192.168.13.13 eq www

access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.13.13

SiriusASA(config)#

Hello Armand,

The configuration looks perfect,

On the packet tracer you need to use the interface Ip address so it should be

packet-tracer input outside tcp 4.2.2.2 1025 outside_interface_ip 13130

Are you doing it like that??

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I'm using ASDM's packet tracer, but I'm basically doing it like that, but i'm not using port 1025 if that's what your intending by that.

However, I have a bigger issue and our changes couldn't have caused it.

My ASA has been rebooting every 5-20 min today due to low memory.  I notice that all my NAT rules, etc. are gone since they weren't yet written to memory, but the reboots contine.  Having one now less than 5 min before the first.  I'm looking at the ASDM memory graphs i have 209MB used and 52MB free, but then in the console it shows the following during reboot:

CISCO SYSTEMS

Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB

High Memory: 251 MB

PCI Device Table.

Bus Dev Func VendID DevID Class              Irq

00  01  00   1022   2080  Host Bridge

00  01  02   1022   2082  Chipset En/Decrypt 11

00  0C  00   1148   4320  Ethernet           11

00  0D  00   177D   0003  Network En/Decrypt 10

00  0F  00   1022   2090  ISA Bridge

00  0F  02   1022   2092  IDE Controller

00  0F  03   1022   2093  Audio              10

00  0F  04   1022   2094  Serial Bus         9

00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 9 seconds.

CISCO SYSTEMS

Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB

High Memory: 251 MB

PCI Device Table.

Bus Dev Func VendID DevID Class              Irq

00  01  00   1022   2080  Host Bridge

00  01  02   1022   2082  Chipset En/Decrypt 11

00  0C  00   1148   4320  Ethernet           11

00  0D  00   177D   0003  Network En/Decrypt 10

00  0F  00   1022   2090  ISA Bridge

00  0F  02   1022   2092  IDE Controller

00  0F  03   1022   2093  Audio              10

00  0F  04   1022   2094  Serial Bus         9

00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Launching BootLoader...

Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa844-1-k8.bin... Booting...

Platform ASA5505

Loading...

IO memory blocks requested from bigphys 32bit: 9672

dosfsck 2.11, 12 Mar 2005, FAT32, LFN

Starting check/repair pass.

Starting verification pass.

/dev/hda1: 148 files, 21841/62142 clusters

dosfsck(/dev/hda1) returned 0

Processor memory 109051904, Reserved memory: 41943040

Total SSMs found: 0

Total NICs found: 10

88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002

88E6095 rev 2 Ethernet @ index 08 MAC: 0025.8451.627d

88E6095 rev 2 Ethernet @ index 07 MAC: 0025.8451.627c

88E6095 rev 2 Ethernet @ index 06 MAC: 0025.8451.627b

88E6095 rev 2 Ethernet @ index 05 MAC: 0025.8451.627a

88E6095 rev 2 Ethernet @ index 04 MAC: 0025.8451.6279

88E6095 rev 2 Ethernet @ index 03 MAC: 0025.8451.6278

88E6095 rev 2 Ethernet @ index 02 MAC: 0025.8451.6277

88E6095 rev 2 Ethernet @ index 01 MAC: 0025.8451.6276

y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0025.8451.627e

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06

Verify the activation-key, it might take a while...

Running Permanent Activation Key: 0x7e1eeb73 0xc43bab04 0xecb37134 0x83ccbcf0 0x                                             440e20bf

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual

VLAN Trunk Ports                  : 0              perpetual

Inside Hosts                      : 50             perpetual

Failover                          : Disabled       perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Cisco Adaptive Security Appliance Software Version 8.4(4)1

  ****************************** Warning *******************************

  This product contains cryptographic features and is

  subject to United States and local country laws

  governing, import, export, transfer, and use.

  Delivery of Cisco cryptographic products does not

  imply third-party authority to import, export,

  distribute, or use encryption. Importers, exporters,

  distributors and users are responsible for compliance

  with U.S. and local country laws. By using this

  product you agree to comply with applicable laws and

  regulations. If you are unable to comply with U.S.

  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic

  products may be found at:

  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by

  sending email to export@cisco.com.

  ******************************* Warning ******************************

Copyright (c) 1996-2012 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.

                170 West Tasman Drive

                San Jose, California 95134-1706

Reading from flash...

!!...

Cryptochecksum (unchanged): b939fc3b d3fc75c0 c4da4385 5cde1ca9

Type help or '?' for a list of available commands.

SiriusASA> DHCP Client: can't enable DHCP Client when DHCP Server/Relay                                                      ng on the interface.

DHCP: Interface 'inside' is currently configured as SERVER and cannot be  

Hello Armand,

I would recommend you to open a TAC case so we can assist you on this memory leak issue.

This is difficult to troubleshoot over a forum as we will need a lot of different outputs ( some of them are huge)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: