Solved: Yes. You would have the ACL

Dana_Alexis · ‎02-01-2017

Okay, I'm starting to get desperate. Sorry if I posted this on the wrong forum.

Here's my situation: There are several Cisco ASA 5506 x's deployed at our client's stores. What I'm trying to do is to make it possible to access the camera from any device by typing in the static ip with whatever port the camera is set with, like 8080. The problem is I don't know how to set up a Cisco ASA. My only experience with cisco are routers and switches.

The ASA is setup like this:

outside====>ASA firewall<====inside

The camera is connected on the inside interface on a switch.

The command I've tried for port forwarding are these:

object network camera
host 192.168.103.***

object service tcp_camera
service tcp source eq 80

nat (inside,outside) source dynamic any interface
access-list CamToInside permit tcp any host 192.168.103.*** eq www
access-group CamToInside in interface outside

But it didn't work, so I removed that. I've been researching for a really long time, and I'm getting nowhere. Can someone help me? I'll put the config one of the firewalls I'm working with has. I'll remove some of the info, though. These were the things done by other people before I started working here.

Rahul Govindan · ‎02-03-2017

Yup, what you added was only the NAT. Your ACL's were correct when you added it the first time.

access-list CamToInside permit tcp any host 192.168.103.*** eq www
access-group CamToInside in interface outside

View solution in original post

Rahul Govindan · ‎02-01-2017

You should follow the steps to create port forwarding rules here:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10

Dana_Alexis · ‎02-01-2017

I tried that, but it didn't work, for some reason. I looked at the logs, and I was getting this when I tried accessing the camera through my phone's ip cam app:

I also tried using the computer at the office, but it's not working.

Here's how I set up the nat, in case it was a mis-configuration on my end.

Rahul Govindan · ‎02-02-2017

Can you get the Cli of the nat you added? Also run a packet-tracer to simulate the asa processing. The command is below :

Packet-tracer input outside tcp 4.4.4.4 12345 <outside ip address > 8080 detailed

Dana_Alexis · ‎02-02-2017

Sorry it took a while. Timezone difference. Okay, it looks like the only thing added when I used ASDM to configure port forwarding were these:

object network camera_192.168.***.***
nat (inside,outside) static interface service tcp www 8080

I did not see a new access list at all. The packet tracer result is attached. It looks like it's getting dropped because of the implicit deny, if I'm reading it right.

Rahul Govindan · ‎02-03-2017

Yup, what you added was only the NAT. Your ACL's were correct when you added it the first time.

access-list CamToInside permit tcp any host 192.168.103.*** eq www
access-group CamToInside in interface outside

Dana_Alexis · ‎02-03-2017

Okay, I'll try that Monday since I'm off today and tomorrow and get back to you.

Dana_Alexis · ‎02-05-2017

Okay, I added the access-list, but for whatever reason, it's still being denied. I attached the packet tracer result. The commands that were added to the running config were these:

access-list Cam_Access extended permit tcp any host 192.168.***.*** eq www

access-group Cam_Access in interface outside

Actually, it's kinda weird it became an extended permit. I didn't type that at all.

Rahul Govindan · ‎02-06-2017

What was the packet-tracer command that you ran? Can you attach a santized config to this thread if possible to check?

Dana_Alexis · ‎02-06-2017

Okay, I actually made an error in the ip address for the object network, so I corrected it. But now, I'm getting a weird result. The packet tracer result shows that it should be working, but when I try to access the camera on my phone, it's not working. Could this be an issue not related to the asa config?

I attached the results I got when using packet-tracer input outside tcp 4.4.4.4 12345 (outside ip address) 8080 detailed command after fixing the ip address error.

Rahul Govindan · ‎02-06-2017

If the packet-tracer shows the right output, try applying a packet capture on the outside and inside interface for traffic from your source public ip address while you do the actual test. This will show if there is something wrong with the actual traffic.

Dana_Alexis · ‎02-07-2017

Okay, I actually tried something that worked. I changed the port set on the camera. So all I really needed was the that thing you linked and the acl. Thanks!

Just one more question before I mark the correct stuff, so I can use it in the future. With the camera they have, I can set the port to anything other than 80. So, when setting up on the asdm, would the real port section be the one set on the camera itself?

Rahul Govindan · ‎02-08-2017

If you change the camera port, you would have to change the real port in the NAT statement and also in the ACL applied on the outside interface.

Dana_Alexis · ‎02-08-2017

Okay. Thanks! Can you give me an example of the ACL? Like, let's say I have a camera at port 5010 at the address of 172.168.1.20. How would the ACL statement go? Would go something like:

access-list Outside_to_Cam extended permit tcp any host 172.168.1.20 eq 5010

then insert it to the outside interface?

Just want to know for future reference.

Rahul Govindan · ‎02-08-2017

Yes. You would have the ACL with source as 'any' and destination as the real ip address and real port of the camera.

Trouble