Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3009
Views
0
Helpful
9
Replies

surveillance camera and ASA 5505

Marco Grazioli
Level 1
Level 1

‎03-07-2013 10:28 AM - edited ‎03-11-2019 06:11 PM

Hi everybody,

I have a IP surveillance camera (192.168.1.125 on port 81) behind a Firewall ASA 5505.

The outside interface (192.168.0.1)  is reachable by a public address, inside interface has a private address 192.168.1.254.

I made a Static Route to reach the camera:

static (inside,outside) tcp interface 81 192.168.1.125 81 netmask 255.255.255.255 0 0

I made an access list on outside interface to reach the camera:

access-list acl_outbound permit tcp any host 192.168.0.1 eq 81

From public address I'm able to reach the camera, but I can't see video stream.

Camera support told me to open port 8554 so I opened this port:

access-list acl_outbound permit tcp any host 192.168.0.1 eq 8554

access-list acl_outbound permit udp any host 192.168.0.1 eq 8554

But no video stream is avaiable, so I try also:

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq 8554

access-list acl_inbound permit udp 192.168.1.0 255.255.255.0 any eq 8554

The problem is how to see this video stream?

Thanks for your help.

Marco

Labels:
0 Helpful
9 Replies 9

Andrew Phirsov
Level 7
Level 7

‎03-07-2013 11:03 AM

Is any dynamic nat configured on that ASA? I mean the videostream, when going from camera, it uses not 81 port as a source, but some range of other ports. So, if you have no dynamic translations from inside to outside, video-stream packets won't translate to public ip address and be dropped.

0 Helpful

Marco Grazioli
Level 1
Level 1
In response to Andrew Phirsov

‎03-07-2013 11:53 AM

Dear Andrew, this is the Dynamic NAT configured :

nat (inside) 1 0.0.0.0 0.0.0.0

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight

‎03-08-2013 09:20 AM

what is ios version? 8.2 or 8.4 ?

0 Helpful

Marco Grazioli
Level 1
Level 1
In response to Tagir Temirgaliyev

‎03-08-2013 09:41 AM

IOS is 8.2

0 Helpful

jocamare
Level 4
Level 4

‎03-08-2013 10:50 AM

What type of camera are we talking about?

What protocol does it use?

Are you suppoused to get the video stream when connecting to the camera as if it was a server?

Do you see any logs on the ASA about traffic getting dropped by it?

0 Helpful

Marco Grazioli
Level 1
Level 1
In response to jocamare

‎03-09-2013 10:41 AM

This is log on ASA, x.x.x.x is my home IP, the camera is in my office, 192.168.1.125 is private camera IP.

Severity|Date|Time| Syslog ID| Souce IP | Source port| Dest. IP | Dest. Port| Description

6|Mar 09 2013|10:18:10|302014|x.x.x.x|49767|192.168.1.125|81|Teardown TCP connection 166780 for outside:x.x.x.x/49767 to inside:192.168.1.125/81 duration 0:00:00 bytes 830 TCP FINs

6|Mar 09 2013|10:18:09|302013|x.x.x.x|49767|192.168.1.125|81|Built inbound TCP connection 166780 for outside:x.x.x.x/49767 (x.x.x.x/49767) to inside:192.168.1.125/81 (192.168.0.1/81)

6|Mar 09 2013|10:17:59|302014|x.x.x.x|49764|192.168.1.125|81|Teardown TCP connection 166778 for outside:x.x.x.x/49764 to inside:192.168.1.125/81 duration 0:00:00 bytes 830 TCP FINs

6|Mar 09 2013|10:17:58|302013|x.x.x.x|49764|192.168.1.125|81|Built inbound TCP connection 166778 for outside:x.x.x.x/49764 (x.x.x.x/49764) to inside:192.168.1.125/81 (192.168.0.1/81)

6|Mar 09 2013|10:17:48|302014|x.x.x.x|49763|192.168.1.125|81|Teardown TCP connection 166777 for outside:x.x.x.x/49763 to inside:192.168.1.125/81 duration 0:00:00 bytes 948 TCP FINs

6|Mar 09 2013|10:17:47|302013|x.x.x.x|49763|192.168.1.125|81|Built inbound TCP connection 166777 for outside:x.x.x.x/49763 (x.x.x.x/49763) to inside:192.168.1.125/81 (192.168.0.1/81)

Monday I will ask Camera Brand and protocol used.

I hope this can be usefull for you to understand my big problem, tks for you help.

0 Helpful

Marco Grazioli
Level 1
Level 1
In response to Marco Grazioli

‎03-13-2013 02:38 PM

The Recording System is Honeywell Galileo.

I try to inspect RTSP protocol with this rule:

access-list rtsp-acl permit tcp any any eq 554

access-list rtsp-acl permit tcp any any eq 8554

class-map rtsp-traffic

match access-list rtsp-acl

exit

policy-map rtsp_policy

class rtsp-traffic

inspect rtsp

exit

service-policy rtsp_policy interface outside

No results...

Then I erase all Service Policy Rules:

No results...

What I have to do????

0 Helpful

Marco Grazioli
Level 1
Level 1
In response to Marco Grazioli

‎03-15-2013 09:39 AM

This is the running configuration:

hostname xxxxxxxx

domain-name xxxxxxx                            

enable password xxxxxxx

passwd xxxxxxxxxx                         

names 

access-list acl_outbound permit tcp any host 192.168.0.1 eq 3389

access-list acl_outbound permit tcp any host 192.168.0.1 eq ftp-data

access-list acl_outbound permit tcp any host 192.168.0.1 eq ftp

access-list acl_outbound permit tcp any host 192.168.0.1 eq https

access-list acl_outbound permit tcp any host 192.168.0.1 eq pop3

access-list acl_outbound permit tcp any host 192.168.0.1 eq www

access-list acl_outbound permit tcp any host 192.168.0.1 eq 81

access-list acl_outbound permit tcp any host 192.168.0.1 eq 8554

access-list acl_outbound permit tcp any host 192.168.0.1 eq 6968

access-list acl_outbound permit udp any host 192.168.0.1 eq 8554

access-list acl_outbound permit tcp any host 192.168.0.1 eq rtsp

access-list rtsp-acl permit tcp any any eq 554

access-list rtsp-acl permit tcp any any eq 8554

class-map rtsp-traffic

match access-list rtsp-acl

exit

policy-map rtsp_policy

class rtsp-traffic

inspect rtsp

exit

service-policy rtsp_policy interface outside

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq smtp

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq 81

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq 8554

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq 6968

access-list acl_inbound permit udp 192.168.1.0 255.255.255.0 any eq 8554

access-list acl_inbound permit tcp 192.168.1.0 255.255.255.0 any eq rtsp

access-list SplitTunnelNets standard permit 192.168.1.0 255.255.255.0

access-list acl_inbound deny tcp any any eq www

access-list acl_inbound deny tcp any any eq ftp

access-list acl_inbound deny tcp any any eq ftp-data

access-list acl_inbound deny tcp any any eq smtp

access-list acl_inbound deny udp any eq tftp any

access-list acl_inbound deny tcp any eq 135 any

access-list acl_inbound deny udp any eq 135 any

access-list acl_inbound deny tcp any eq 137 any

access-list acl_inbound deny udp any eq netbios-ns any

access-list acl_inbound deny tcp any eq 138 any

access-list acl_inbound deny udp any eq netbios-dgm any

access-list acl_inbound deny tcp any eq netbios-ssn any

access-list acl_inbound deny udp any eq 139 any

access-list acl_inbound deny udp any eq 1080 any

access-list acl_inbound deny tcp any eq 445 any

access-list acl_inbound deny tcp any eq 593 any

access-list acl_inbound deny tcp any eq 3067 any

access-list acl_inbound deny tcp any eq 3127 any

access-list acl_inbound deny tcp any eq 4444 any

access-list acl_inbound deny tcp any eq 5554 any

access-list acl_inbound deny tcp any eq 9996 any

access-list acl_inbound deny tcp any eq 36794 any

access-list acl_inbound permit ip any any

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.230

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.231

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.232

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.233

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.234

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.235

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.236

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.237

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.238

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.239

access-list VPN permit ip 192.168.1.0 255.255.255.0 host 192.168.1.240

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

access-list inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.224

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Ext-IP 192.168.1.230-192.168.1.240 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

no dhcpd enable inside

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_outbound in interface outside

access-group acl_inbound in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.254 1

static (inside,outside) tcp interface 443 192.168.1.111 443 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 81 192.168.1.125 81 netmask 255.255.255.255 0 0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

group-policy xxxxxx internal

group-policy xxxxxx attributes

dns-server value 192.168.1.180 213.140.2.21

vpn-tunnel-protocol IPSec

default-domain value xxxxxx

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnelNets

username xxxxxx password xxxxxx privilege 0

username xxxxxx attributes

vpn-group-policy xxxxxxx

username yyyyyyy password xxxxxxx privilege 15

username yyyyyyy attributes

vpn-group-policy xxxxxxx

tunnel-group xxxxxxx type ipsec-ra

tunnel-group xxxxxxx general-attributes

address-pool Ext-IP

default-group-policy xxxxxxx

tunnel-group xxxxxxx ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxxxx

prompt hostname context

Any suggestion?

Tnks for your help...!!

Marco

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card