Solved: Re: Am I doing static PAT correctly?

gmtimmons · ‎07-28-2010

I have a series of security cameras I have been asked to nat, but with limited public IP's I am going to have to use nat.

requirements are camera 1 using tcp inbound port 1024, camera 2 using port 1025, etc

Do I just need these static commands to make this work:

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1025 netmask 255.255.255.255

etc

there are about 10 cameras total

fyi, I have nat configured and working for other items such as webservers, etc.

thanks in advance

ropakalns · ‎07-28-2010

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

View solution in original post

Jon Marshall · ‎07-28-2010

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.

Jon

View solution in original post

Nagaraja Thanthry · ‎07-29-2010

Hello,

Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.

Regards,

NT

View solution in original post

ropakalns · ‎07-28-2010

Hi!

Seems to me that you need

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1024 netmask 255.255.255.255

But be sure that inside traffic goes out through the same outside interface IP

Roberts

gmtimmons · ‎07-28-2010

sorry that was a typo, should have been

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1025 netmask 255.255.255.255

ropakalns · ‎07-28-2010

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

Jon Marshall · ‎07-28-2010

ropakalns wrote:
I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but
as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.
Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside 
Roberts

Roberts

There is a big difference between static (inside,outside) and static (outside,inside) eg.

static (inside,outside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means

1) traffic coming from the inside host with a source IP of 172.16.5.1 will be translated to a source IP of 192.168.5.1 as it leaves the outside

2) traffic coming from the outside with a destination IP of 192.168.5.1 will be translated to a desination IP of 172.16.5.1 as it leaves the inside

static(outside,inside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means

1) traffic from the inside with a destination IP of 192.168.5.1 will be translated to a destination IP of 172.16.5.1 as it leaves the outside

2) traffic coming from the outside with a src IP of 172.16.5.1 will be translated to a src IP of 192.168.5.1 as it leaves the inside

it's basically to do with whether you translate the source or destination IP and the direction.

Jon

gmtimmons · ‎07-28-2010

also, do I need to make an access list entry for each one as well and can I use the same access list as I use for my other nats

(acl for other nats ex) access-list outside_in extended permit tcp any host mailserver eq lotusnotes

access-list outside_in extended permit tcp any host outside_ip eq 1024

access-list outside_in extended permit tcp any host outside_ip eq 1025

Jon Marshall · ‎07-28-2010

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.

Jon

gmtimmons · ‎07-28-2010

can do an access list for a range of ports such as

access-list outside_in extended permit tcp any host outside_ip eq 1024-1033

or do you have to do an access list for each port separately?

Jon Marshall · ‎07-28-2010

gmtimmons wrote:

can do an access list for a range of ports such as

access-list outside_in extended permit tcp any host outside_ip eq 1024-1033

or do you have to do an access list for each port separately?

I'm assuming the device you are using is an ASA/Pix and it is running less than 8.3 software -

object-group service cameraports tcp

port-object range 1024 1033

access-list outside_in permit tcp any host outside_ip object-group cameraports

Jon

gmtimmons · ‎07-28-2010

this is what I have (not working) suggestions?

static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 81 10.2.19.0 81 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 8007 10.2.19.0 8007 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 9898 10.2.19.0 9898 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 50000 10.2.19.0 50000 netmask 255.255.255.255

object-group service cameraports tcp
port-object range 1024 1033

access-list outside_in extended permit tcp any host 74.254.131.11 object-group camerapor
access-list outside_in extended permit tcp any host 74.254.131.11 eq 8007
access-list outside_in extended permit tcp any host 74.254.131.11 eq 9898
access-list outside_in extended permit tcp any host 74.254.131.11 eq 50000
access-list outside_in extended permit tcp any host 74.254.131.11 eq 81

access-group outside_in in interface outside

Jon Marshall · ‎07-28-2010

Are you seeing any hits on your access-list entries ie. what does sh access-list show ?

Nagaraja Thanthry · ‎07-28-2010

Hello,

I guess the ports open on the camera are different from what you are trying to configure. Are you trying to manage them via Web Console? If yes, could you please check to see what port they operate on? Once you find out that, you can do the following:

no static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255

static (inside,outside) tcp outside_ip 1024 10.2.19.1 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 netmask 255.255.255.255

If they are accessible via web port (80), then,

static (inside,outside) tcp outside_ip 1024 10.2.19.1 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 80 netmask 255.255.255.255

Hope this helps.

Regards,

NT

gmtimmons · ‎07-28-2010

yes, I am getting hits on my access list not sure on the port question. basically the mfg of camera system left me a sheet that says tcp inbound port to be used for each item.....those ports being the 1024-1033 and the 81,8007,9898,50000 I will see if I can get in touch wiht them and ask

gmtimmons · ‎07-29-2010

still no luck I have removed most of my new entries.....attaching relavent info of my config

any other suggestions?

gmtimmons · ‎07-29-2010

ok for the port question they arent using port 80, but the ports stated........internally I can access http://inside_ip:1024 ex but not http://outside_ip:1024