03-21-2013 12:19 PM - edited 03-07-2019 12:24 PM
I have an internal DVR system that I am trying to share to the outside world. We recently put in an ASA5505 and I am having trouble getting the settings correct.
I want to use an external IP to access the DVR system from anywhere and have my ASA5505 redirect the traffic to the internal IP address. I assume I need to use a NAT and a route policy however can not figure out how it would be.
Any help would be great -
thank you - Kelli
03-21-2013 12:23 PM
Unless you have a pool of IPs on the outside of the firewall to use for a 1 to 1 NAT, you will need know the ports the DVR device is using so that you can forward those particular ports though the PAT.
03-21-2013 12:39 PM
The app uses port 80 and I own 5 static IP's, one of which I planned on using for this.
03-21-2013 12:47 PM
Well that makes it fairly strait forward. Are you using the ASDM or command line?
03-21-2013 12:57 PM
The ASDM.
03-22-2013 07:14 AM
A simple static PAT and an ACL on the outside interface will do.
1) Go to confiiguration -> Firewall -> NAT rules
2) Use the "add" drop down and select "static nat"
3) Use these settings:
Original:
Interface: Inside
Source: IP of DVR system
Translated:
Interface: Outside
Address: Use interface address
4) Check the box "Enable Port Address Translation", enter "80" as the original port and "10080" (or whatever your desired port is) as the translated port. Click Apply
5) Go to configuration -> firewall -> access-lists.)
6) Create an access-list on the outside interface allowing traffic from your designated range destined to the outside interface.
7) Connect via HTTPS from the outside like this: https://1.2.3.4:10080 (where "1.2.3.4" is the IP address of the ASA's outside interface).
If you're using 8.3 and above you'll need to use objects and use the real IP for your ACLs. See here:
03-28-2013 08:34 AM
I'm working on the PAT first - and I believe I have it correct.
For the Acces List, I have created it on the outside interface. Is the designated range suppose to be the inside-network to the outside-network? Or would it be the DVR somewhere in there?
Thank you for all your help - it really is appreciated!
03-28-2013 08:53 AM
In my log viewer, I see
5 | Mar 28 2013 | 16:44:56 | 305013 | dvr-internal | 80 | Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.XX/7964 dst inside:dvr-internal/80 denied due to NAT reverse path failure |
03-29-2013 09:09 AM
What version software are you running on it ?
04-01-2013 12:24 PM
ASA : 8.2 (5)
ASDM : 6.4 (5)
04-01-2013 02:56 PM
Have u created Access list ..
04-02-2013 08:36 AM
This is the access rule I created:
But I don't think it's correct, it gives me a warning
I access my firewall from a remote location and once I add this access rule, I can no longer see the firewall. So I end up accessing a local computer and restoring the latest config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide