How do I access a network camera from internet via 501

cisco501pix · ‎11-09-2007

Please understand that I am nowhere near being a network guru and I'm even farther away from being a PIX guru.

I have a 501 PIX between my home network and the outside internet. The PIX is connected to a cable modem and pretty much keeps the same DHCP IP address as assigned by the ISP. I have an AXIS 207 IP camera connected to my home network on IP 192.168.1.11. For the sake of illustration say the address assigned by my cable ISP is 123.123.123.1.

What I need to do is to access the camera from the internet. To do that I suppose I need to add some instructions to the PIX configuration but I don't know where to start...I have never even thought about communicating with devices on my home network through the internet. Can someone please provide some pointers or better yet the commands I need to add. The next question is how do I access the camera assuming the PIX is all set up. I don't think I use the camera's address and I don't know how the ISP address would get to a specific device such as the camera - maybe appending a port number or whatever to the IP address I type when trying to access the camera from the internet?

The way the camera works on the internal network is you type in it's IP address in a browser window and the camera opens up a web page just like any url and the video is streamed to a window in the web page.

I hope I've provided enough info to understand what I'm trying to do and I would be most appreciative for any help.

thanks

mj11 · ‎11-09-2007

Hi

The PIX can be configured to translate ports destined to a single global IP address to your internal camera.

.

You can use port redirection (static PAT) to accomplish this.

Example

Address from ISP: 123.123.123.1

Camera IP Address: 192.168.1.11

PIX commands are shown below.

static (inside,outside) tcp 123.123.123.1 80 192.168.1.11 80 netmask 255.255.255.255

!--- Now that the port redirection is defined, you need

!--- to allow inbound access via an access list.

access-list inbound permit tcp any host 123.123.123.1 eq 80

access-group inbound in interface outside

!--- Finally, then you need to do PAT on the static address.

nat (inside) 1 0.0.0.0

global (outside) 1 123.123.123.1

Please rate if this helps, also I would make sure you camera has a user name + password on.

Regards MJ

cisco501pix · ‎11-10-2007

Thanks for the answer...I will install the changes and report back with the results

cisco501pix · ‎11-10-2007

I tried installing the commands as provided but am running into issues. Here are the error messages:

pixfirewall(config)# nat (inside) 1 0.0.0.0

ERROR: Duplicate NAT entry

ERROR: fail to insert nat entry

pixfirewall(config)# global (outside) 1 xxx.xxx.114.55

ERROR: xxx.xxx.114.55-xxx.xxx.114.55 overlaps with outside interface address

pixfirewall(config)#

And here is a copy of my current configuration (including the code prior to entering the changes and the successful changes). Any Idea what needs to be done to fix things?

thanks

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list inbound permit tcp any host xxx.xxx.114.55 eq www

pager lines 24

logging timestamp

logging trap informational

logging host inside 192.168.1.3

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.3 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp xxx.xxx.114.55 www 192.168.1.11 www netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.6-192.168.1.10 inside

dhcpd dns 207.69.188.171 207.69.188.172

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username administrator password xxx privilege 15

terminal width 80

Cryptochecksum:xxx

: end

[OK]