+ Reply to Thread
Results 1 to 22 of 22
  1. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #1

    Default Need assistance. IP Camera behind Cisco ASA.

    I have installed an IP Camera on the network, which has a Cisco ASA 5505 as the firewall.
    I want to enable it so I can login off net.

    I understand that I need to identify the port used for GUI, which I believe is 80, but I can change that port. The manufacture suggests it be changed to 8090, which is no problem.

    So, from my understanding, I need to enable NAT from the outside IP Port 8090, to the inside IP of the camera.
    Static route from the outside IP & Port to the inside IP.

    IS that it?
    Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member dover's Avatar
    Join Date
    Jul 2011
    Location
    dom0
    Posts
    182

    Certifications
    B.Sc. Information System Security, CISA, CISM, CISSP, CCNP:Security, GISP, GCIA, VCP v4, CCNA R/S, MCITP:EA, MCSE NT,2K,2k3
    #2

    Default Need assistance. IP Camera behind Cisco ASA.

    Hey kmcintosh78,

    I'm not sure what code version you're running but all you really need to do is setup a translation. No need for any static routes or anything.

    This is a config from 8.4(2) I labbed up real quick:

    Code:
    object network IP_CAMERA
    host 10.0.0.20
    nat (inside,outside) static 55.55.55.55 service tcp www 8090
    
    access-list outside_in extended permit tcp any object IP_CAMERA eq www log
    
    access-group outside_in in interface outside
    May not be exactly what you're looking for though...

    The IP camera is 10.0.0.20 on the inside and is mapped to the public address 55.55.55.55 on the outside so you could use your interface IP or an available static in your range.

    Also, it’s doing a little PAT translation listening on port 8090 on the outside and mapping it to the inside port 80 - which you may not want.

    If you set the IP Camera GUI to use port 8090 and don't want the PAT, change the config to:

    Code:
    object network IP_CAMERA
    host 10.0.0.20
    nat (inside,outside) static 55.55.55.55 service tcp 8090 8090
    
    access-list outside_in extended permit tcp any object IP_CAMERA eq 8090 log
    
    access-group outside_in in interface outside
    Ehh..hope it helps. At least it gave me something to do besides VPN stuff for a while.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #3
    I am going to try that. Thanks.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #4
    Running 7.2(4). CLI a little different.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #5
    Yeah, can't exactly walk it through the ASDM.
    This is my first go around with port forwarding like this.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jan 2013
    Posts
    169
    #6
    7.2

    access-list outside_access_in permit tcp any host 10.1.1.1 eq www

    static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #7
    Quote Originally Posted by TheNewITGuy View Post
    7.2

    access-list outside_access_in permit tcp any host 10.1.1.1 eq www

    static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255
    Giving me an invalid command for "host".
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #8
    I think I may be able to steer you in the right direction as I currently have a similar topology. There's an ip camera system internal thats behind an asa its accessed on my employers cell phone off net. I'm running 8.2 so the cmds may differ.

    Make sure you know all the port numbers associated to the camera system if not it won't pass through

    Define the port number

    object-group service CAMERA tcp
    port-object eq 8090

    Create access list

    access-list inside_access_in extended permit tcp host 10.0.0.20 any object-group CAMERA

    access-group inside_access_in in interface inside


    create static nat

    static (inside,outside) tcp interface 8090 10.0.0.20 8090 netmask 255.255.255.255

    If you still see it blocked look at the real time log while trying to access camera from outside to see what port is being blocked.


    I'm running gui 6.4 so it may be slightly different then yours. I'll try to explain it the best I can.

    Click on configuration in the top left corner ->click firewall-> click access rules

    On the right side there should be 3 tabs named Addresses, Services, and Time ranges if you don't see that click on view in the top left corner and click them. Once you see them

    Click Services-> Add ->Type name in Group Name "camera" if you like
    -> click the dial for create new member ->type ports your want to create 8090 ->click ok

    Click Nat rules on the left -> add static nat rule -> under original->interface inside ->source 10.0.0.20

    under translated ->interface outside ->click dial "use interface ip address"

    under port address translation (pat)->check off enable pat ->tcp -> original port 8090 translated port 8090 ->click ok

    click enable logging -> ok

    On the access rule list go under outside and create a new rule

    click outside->add access rule -> permit -> source any (or if you have a specific ip address) ->destination (your outside ip address) ->service (name of the new service your created) camera

    click inside->add access rule -> permit -> source 10.0.0.20 if the ip address hasn't been added yet-click source
    ->add-> 10.0.0.20 netmask 255.255.255.255->ok ->destination any->service (name of the new service your created) camera

    click apply

    Hope this works for you.

    Edit: Had to tweek the configs
    Last edited by dmarcisco; 02-05-2013 at 06:34 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #9
    Whats the update? Are you running into any issues?
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #10
    Quote Originally Posted by dmarcisco View Post
    Whats the update? Are you running into any issues?
    Been busy with everything else. I am going to work this now and will report back shortly.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #11
    Quote Originally Posted by dmarcisco View Post


    I'm running gui 6.4 so it may be slightly different then yours. I'll try to explain it the best I can.

    Click on configuration in the top left corner ->click firewall-> click access rules

    On the right side there should be 3 tabs named Addresses, Services, and Time ranges if you don't see that click on view in the top left corner and click them. Once you see them
    Left side is missing on mine. I am running ASDM 6.4.

    Quote Originally Posted by dmarcisco View Post
    Click Services-> Add ->Type name in Group Name "camera" if you like
    -> click the dial for create new member ->type ports your want to create 8090 ->click ok
    I was able to create a new network object, but there is no dial for it.


    Quote Originally Posted by dmarcisco View Post
    Click Nat rules on the left -> add static nat rule -> under original->interface inside ->source 10.0.0.20

    under translated ->interface outside ->click dial "use interface ip address"
    I got this error message
    "[WARNING] static (inside,outside) interface 10.1.13.24 netmask 255.255.255.255 tcp 0 0 udp 0
    static redirecting all traffics at outside interface;
    WARNING: all services terminating at outside interface are disabled."

    Quote Originally Posted by dmarcisco View Post
    under port address translation (pat)->check off enable pat ->tcp -> original port 8090 translated port 8090 ->click ok

    click enable logging -> ok

    On the access rule list go under outside and create a new rule

    click outside->add access rule -> permit -> source any (or if you have a specific ip address) ->destination (your outside ip address) ->service (name of the new service your created) camera

    click inside->add access rule -> permit -> source 10.0.0.20 if the ip address hasn't been added yet-click source
    ->add-> 10.0.0.20 netmask 255.255.255.255->ok ->destination any->service (name of the new service your created) camera

    click apply

    Hope this works for you.

    Edit: Had to tweek the configs
    I did not proceed past the NAT config, due to the warning message.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #12
    Not a network object a service object..Can you create a service object thats where you define the port?

    Firewall-->access rules--> service tab on far right or on left go under the firewall directory-->expand objects tab click service groups and add your new port.

    How do you have your nat configured?
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #13
    Quote Originally Posted by dmarcisco View Post
    Not a network object a service object..Can you create a service object thats where you define the port?

    Firewall-->access rules--> service tab on far right or on left go under the firewall directory-->expand objects tab click service groups and add your new port.

    How do you have your nat configured?
    I was able to create a new service group.

    Do you mean NAT for the firewall as a whole?
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #14
    The way I configured nat it works for me because all the port forwarding was configured exactly same and no other nat configurations were implemented. This is how I configured my nat:

    object-group service CAMERA tcp
    port-object eq 9000
    port-object eq 9001
    port-object eq 18004


    access-list inside_access_in extended permit tcp host 1.1.2.5 any object-group CAMERA
    access-group inside_access_in in interface inside

    access-list 100 extended permit tcp any host (outside ip address) object-group CAMERA
    access-group 100 in interface outside

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0

    static (inside,outside) tcp interface smtp 1.1.2.250 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface 9001 1.1.2.5 9001 netmask 255.255.255.255
    static (inside,outside) tcp interface 18004 1.1.2.5 18004 netmask 255.255.255.255
    static (inside,outside) tcp interface 9000 1.1.2.5 9000 netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 1.1.2.250 pop3 netmask 255.255.255.255


    I originally tried something similar to this:

    static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255

    but it didnt allow me to add more then one static nat entry TAC mentioned for my topology its only best to configure it this way if you have multiple routable ip addresses. In my case I only have one dedicated ip address.

    So thats why configuring this way worked for me:

    static (inside,outside) tcp interface 9001 1.1.2.5 9001 netmask 255.255.255.255
    Last edited by dmarcisco; 02-19-2013 at 08:57 PM. Reason: Eten point made me double check the config I realized I forgot to add an access list
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #15
    Let me try that .

    Also, I don't see anything negative happening from the warning message I received as stated in my above post.

    Is there anything that I should be concerned with?
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #16
    Well depending how everything else is configured worst that can happen whatever was previously nat'ed will be removed or overwritten
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  18. Member
    Join Date
    Mar 2010
    Posts
    67
    #17
    access-list 100 extended permit tcp any host 1.1.2.5 object-group CAMERA
    Is this applied inbound on the "inside" or "outside"?

    If its applied inbound on the outside, you will need to permit the global IP (public) as ACLs are processed before NAT translation for pre 8.3.
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #18
    Edit: I made correction on my last config realized I copied the wrong config.
    Last edited by dmarcisco; 02-19-2013 at 08:54 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  20. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #19
    OH YEAH!!!!! You are the Man!!!

    Thanks again.


    I love this site and all the people here. '
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Jan 2012
    Posts
    1,250

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #20
    Cool beans! Now everyone can have a reference because when I was trying to do the exact same thing 2 months back couldn't find any information on it. Glad it worked
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #21
    I think I will post the steps for the GUI in the manner that we walked through it.
    Should be in about an hour or so.
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Mar 2011
    Posts
    195

    Certifications
    CCNA,CCNA Security, Nortel DMS,Nortel Norstar,Avaya IP, Telecom Engineer, ITIL v3 Foundation
    #22
    This is for implementing outside access to an IP camera on a small,flat network. The network has a single Outside/Public IP and 2 VLANS, one for Data one for VoIP which is tunneled to a Corporate Site.

    IP Camera is set as 10.1.13.24 with the interface Port for Admin set to 8090.

    Create a Network Object of the Camera
    Config, Firewall, Objects, Network Objects/Groups, Add Network Object.
    Name: IP-Camera
    Address 10.1.13.24
    Subnet: 255.255.255.255

    Create a Service Object
    Config, Firewall, Objects, Service objects, Add TCP Service Group
    Group Name: IP-Camera
    Check "create New Member" enter "8090"
    Check "add"

    Create ACLs
    Config, Firewall, Access Control List, Add Access Rule
    Check Inside
    Permit
    Source "IP-Camera"
    Destination "any"

    Config, Firewall, Access Control List, Add Access Rule
    Check Outside
    Permit
    Source "any"
    Destination "**enter the IP of the outside interface**"

    Create NAT
    Config, Firewall, NAT Rules, ADD Static NAT Rules
    Original
    Interface "inside"
    Source "IP-Camera"
    Translated
    Interface 'outside"
    Check "Use Interface Ip Address"
    PAT
    Check enable PAT
    Original Port "8090"
    Translated Port "8090"

    Check your ability to access the IP camera.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks