02-22-2021 01:12 PM
We're currently setting up to recover after all these rolling blackouts to recover an ASA 5510 to an ASA 5515. We've lost the 5510 but thankfully have a backup for it. It's taking everything on the 5515 but the nat routing which is important for routing our camera server. I don't know how I can make it work I just need to route it from the outside to the inside.
These are the commands it's having issues with:
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) OUTSIDEIP INSIDEIP netmask 255.255.255.255
access-group outside_access_in in interface Outside
I try looking up the "Help Nat" command and it's such a mess for me to understand.
Thank You!
Solved! Go to Solution.
02-22-2021 03:19 PM - edited 02-22-2021 03:24 PM
If you are just looking to map the server to an available public IP address, you can use the following commands:
object network CAMERA-SERVER host 10.120.0.50 nat (Inside,Outside) static 23.23.23.23
!
access-list outside_access_in extended permit ip any host 10.120.0.50
access-group outside_access_in in interface Outside
Keep in mind that this will map every port to the camera server so the camera server will be completely exposed. I usually recommend that people use a VPN to access the camera system instead of exposing it to the Internet like this but this is a risk/benefit analysis you must evaluate and determine if you're comfortable with it.
I would recommend only allowing the ports necessary to use the camera system by scoping the access list to only those ports. Additionally you could only allow access from certain IP addresses (might prove impractical if users are used to accessing the camera system from cell phones).
02-23-2021 06:58 AM
Correct. Just keep in mind that port 80 is unencrypted so I hope that the login for this camera system does allow you to log in using an unencrypted web page.
access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 443 access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 80 access-group outside_access_in in interface Outside
02-22-2021 03:19 PM - edited 02-22-2021 03:24 PM
If you are just looking to map the server to an available public IP address, you can use the following commands:
object network CAMERA-SERVER host 10.120.0.50 nat (Inside,Outside) static 23.23.23.23
!
access-list outside_access_in extended permit ip any host 10.120.0.50
access-group outside_access_in in interface Outside
Keep in mind that this will map every port to the camera server so the camera server will be completely exposed. I usually recommend that people use a VPN to access the camera system instead of exposing it to the Internet like this but this is a risk/benefit analysis you must evaluate and determine if you're comfortable with it.
I would recommend only allowing the ports necessary to use the camera system by scoping the access list to only those ports. Additionally you could only allow access from certain IP addresses (might prove impractical if users are used to accessing the camera system from cell phones).
02-23-2021 06:06 AM
so if I only needed HTTPS and HTTP i'd put it as instead of any host it'd be 80,443 host?
02-23-2021 06:58 AM
Correct. Just keep in mind that port 80 is unencrypted so I hope that the login for this camera system does allow you to log in using an unencrypted web page.
access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 443 access-list outside_access_in extended permit tcp any host 10.120.0.50 eq 80 access-group outside_access_in in interface Outside
02-23-2021 07:21 AM
Ok and if I'm reading this right it should be:
object network CAMERA-SERVER host 10.120.0.50 <--- this is the INSIDE IP? nat (Inside,Outside) static 23.23.23.23 <------ OUTSIDE IP?
!
access-list outside_access_in extended permit ip any host 10.120.0.50 eq 443
access-group outside_access_in in interface Outside
02-23-2021 07:29 AM
That is correct
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide