Re: Route External IP to Internal IP

hsd_3068_cisco · ‎03-21-2013

I have an internal DVR system that I am trying to share to the outside world. We recently put in an ASA5505 and I am having trouble getting the settings correct.

I want to use an external IP to access the DVR system from anywhere and have my ASA5505 redirect the traffic to the internal IP address. I assume I need to use a NAT and a route policy however can not figure out how it would be.

Any help would be great -

thank you - Kelli

Gregory Snipes · ‎03-21-2013

Unless you have a pool of IPs on the outside of the firewall to use for a 1 to 1 NAT, you will need know the ports the DVR device is using so that you can forward those particular ports though the PAT.

hsd_3068_cisco · ‎03-21-2013

The app uses port 80 and I own 5 static IP's, one of which I planned on using for this.

Gregory Snipes · ‎03-21-2013

Well that makes it fairly strait forward. Are you using the ASDM or command line?

hsd_3068_cisco · ‎03-21-2013

The ASDM.

davidroush · ‎03-22-2013

A simple static PAT and an ACL on the outside interface will do.

1) Go to confiiguration -> Firewall -> NAT rules

2) Use the "add" drop down and select "static nat"

3) Use these settings:

Original:

Interface: Inside

Source: IP of DVR system

Translated:

Interface: Outside

Address: Use interface address

4) Check the box "Enable Port Address Translation", enter "80" as the original port and "10080" (or whatever your desired port is) as the translated port. Click Apply

5) Go to configuration -> firewall -> access-lists.)

6) Create an access-list on the outside interface allowing traffic from your designated range destined to the outside interface.

7) Connect via HTTPS from the outside like this: https://1.2.3.4:10080 (where "1.2.3.4" is the IP address of the ASA's outside interface).

If you're using 8.3 and above you'll need to use objects and use the real IP for your ACLs. See here:

http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat.html

hsd_3068_cisco · ‎03-28-2013

I'm working on the PAT first - and I believe I have it correct.

For the Acces List, I have created it on the outside interface. Is the designated range suppose to be the inside-network to the outside-network? Or would it be the DVR somewhere in there?

Thank you for all your help - it really is appreciated!

hsd_3068_cisco · ‎03-28-2013

In my log viewer, I see

5

Mar 28 2013

16:44:56

305013

dvr-internal

80

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.XX/7964 dst inside:dvr-internal/80 denied due to NAT reverse path failure

ALIAOF_ · ‎03-29-2013

What version software are you running on it ?

hsd_3068_cisco · ‎04-01-2013

ASA : 8.2 (5)

ASDM : 6.4 (5)

jawad-mukhtar · ‎04-01-2013

Have u created Access list ..

Jawad

hsd_3068_cisco · ‎04-02-2013

This is the access rule I created:

But I don't think it's correct, it gives me a warning

I access my firewall from a remote location and once I add this access rule, I can no longer see the firewall. So I end up accessing a local computer and restoring the latest config.