Setup ASA 5505 Access or NAT Rules to Inside Server/IP Cam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2012 11:45 AM - edited 03-11-2019 05:14 PM
I'm having trouble setting up the correct rules on an ASA 5505 I'm using in my home office. I have a couple of IP Cams I need to access remotely.
I've tried setting up simple NAT(PAT) and/or Access Rules, but it hasn't worked. I have a single dynamic IP for the Outside interface. Call it 77.76.88.10 and I am using PAT. The CAM is setup to connect on port 80, but could be configured if necessary. I've tried setting up NAT Rules using ASDM as follows:
Match Criteria: Original Packet
Source Intf = outside
Dest Intf = inside
Source = any
Destination = CAM (which was defined as 192.168.xx.xx)
Service = Cam Service Obj which was defined as a TCP service on Destination Port/Range = 80, Source Port/Range = 14140 (a unique port to use from Internet)
Action: Translated Packet
Source = Inside (P)
Destination = --Original--
Service = --Original--
What am I missing? I'm afraid to use CLI only because I am not confident I'll know how to remove changes if I make a mistake.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2012 12:38 PM
Hello.
Please share show run Nat?
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2012 05:39 PM
Here is show run nat
SiriusASA(config)# show run nat
nat (outside,inside) source dynamic any interface destination static LVNGCAM LVNGCAM service 13130-80 13130-80
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
Do I need to creat Access Rules as well?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2012 05:47 PM
Hello Armand,
Yes, and ACL is necessary
access-list outside_in permit tcp any host 192.168.x.x eq 80
access-group outside_in in interface outside
Let me know if this does it, if not then we will need to work on the nat rule
Regards,
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2012 07:04 PM
Ok, so I added the access-list
access-list outside_in extended permit tcp any host 192.168.13.13 eq www
access-list outside_in extended permit tcp any host 192.168.13.13 eq 13130
13130 is the port that I have also configured the cam to accept connections from. http/80 is also working while I diagnose.
I can't access from internet, only LAN. I'm testing outside connections from a 4G mobile to eliminate loopback issues.
Maybe my NAT Rules are bad. I'm a bit uncertain if I've set up the Service correctly. I have TCP and I'm using Source Port 13130 and Destination Port 80 in an attempt to do port translation. I could do 13130 on both sides Source and Destination, but I may be doing it all wrong. I'd like to make sense of the ASMN UI, eventhough we all probably agree CLI commands practically make more sense.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2012 11:27 PM
Hello Armand,
Yes, I do not like the nat you have in there,
Please use the following:
object network Inside_cam
host 192.168.xx.xx
object service http
service tcp source eq 80
object service cam_13130
service tcp source eq 13130
nat (inside,outside) 1 source static Inside_cam interface service cam_13130 cam_13130
nat (inside,outside) 2 source static Inside_cam interface service http http
Of course remove the one you had first,
Regards,
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2012 04:23 PM
Thank you for the guidance. Unfortunately it still isn't working. Packet Trace in ASDM shows that access from some known WAN IP address on port 13130 would fail as is also my experience.
It is working on port 80/http eventhough ASDM Packet trace also indicates it would fail.
I'm confused as I thought we had NAT rules for both ports. I really only want the obscure high port 13130 to work as I have other inside devices I will need to open similar "pinholes" for. Do you see anything that is wrong in the below show run nat or show run access-list?
SiriusASA(config)# show run nat
nat (inside,outside) source static Inside_Lcam interface service Lcam_13130 Lcam_13130
nat (inside,outside) source static Inside_Lcam interface service http http
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
SiriusASA(config)# show run access-list
access-list outside_in extended permit tcp any host 192.168.13.13 eq www
access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.13.13
SiriusASA(config)#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2012 05:05 PM
Hello Armand,
The configuration looks perfect,
On the packet tracer you need to use the interface Ip address so it should be
packet-tracer input outside tcp 4.2.2.2 1025 outside_interface_ip 13130
Are you doing it like that??
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2012 12:12 PM
I'm using ASDM's packet tracer, but I'm basically doing it like that, but i'm not using port 1025 if that's what your intending by that.
However, I have a bigger issue and our changes couldn't have caused it.
My ASA has been rebooting every 5-20 min today due to low memory. I notice that all my NAT rules, etc. are gone since they weren't yet written to memory, but the reboots contine. Having one now less than 5 min before the first. I'm looking at the ASDM memory graphs i have 209MB used and 52MB free, but then in the console it shows the following during reboot:
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 9 seconds.
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 251 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
Loading /asa844-1-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9672
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 148 files, 21841/62142 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 109051904, Reserved memory: 41943040
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0025.8451.627d
88E6095 rev 2 Ethernet @ index 07 MAC: 0025.8451.627c
88E6095 rev 2 Ethernet @ index 06 MAC: 0025.8451.627b
88E6095 rev 2 Ethernet @ index 05 MAC: 0025.8451.627a
88E6095 rev 2 Ethernet @ index 04 MAC: 0025.8451.6279
88E6095 rev 2 Ethernet @ index 03 MAC: 0025.8451.6278
88E6095 rev 2 Ethernet @ index 02 MAC: 0025.8451.6277
88E6095 rev 2 Ethernet @ index 01 MAC: 0025.8451.6276
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0025.8451.627e
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x7e1eeb73 0xc43bab04 0xecb37134 0x83ccbcf0 0x 440e20bf
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 50 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Cisco Adaptive Security Appliance Software Version 8.4(4)1
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning ******************************
Copyright (c) 1996-2012 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!...
Cryptochecksum (unchanged): b939fc3b d3fc75c0 c4da4385 5cde1ca9
Type help or '?' for a list of available commands.
SiriusASA> DHCP Client: can't enable DHCP Client when DHCP Server/Relay ng on the interface.
DHCP: Interface 'inside' is currently configured as SERVER and cannot be
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2012 12:27 PM
Hello Armand,
I would recommend you to open a TAC case so we can assist you on this memory leak issue.
This is difficult to troubleshoot over a forum as we will need a lot of different outputs ( some of them are huge)
Regards,
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
