Need assistance. IP Camera behind Cisco ASA.

kmcintosh78 · January 2013

I have installed an IP Camera on the network, which has a Cisco ASA 5505 as the firewall.
I want to enable it so I can login off net.

I understand that I need to identify the port used for GUI, which I believe is 80, but I can change that port. The manufacture suggests it be changed to 8090, which is no problem.

So, from my understanding, I need to enable NAT from the outside IP Port 8090, to the inside IP of the camera.
Static route from the outside IP & Port to the inside IP.

IS that it?
Thanks.

dover · January 2013

Hey kmcintosh78,

I'm not sure what code version you're running but all you really need to do is setup a translation. No need for any static routes or anything.

This is a config from 8.4(2) I labbed up real quick:

object network IP_CAMERA
host 10.0.0.20
nat (inside,outside) static 55.55.55.55 service tcp www 8090

access-list outside_in extended permit tcp any object IP_CAMERA eq www log

access-group outside_in in interface outside

May not be exactly what you're looking for though...

The IP camera is 10.0.0.20 on the inside and is mapped to the public address 55.55.55.55 on the outside so you could use your interface IP or an available static in your range.

Also, it’s doing a little PAT translation listening on port 8090 on the outside and mapping it to the inside port 80 - which you may not want.

If you set the IP Camera GUI to use port 8090 and don't want the PAT, change the config to:

object network IP_CAMERA
host 10.0.0.20
nat (inside,outside) static 55.55.55.55 service tcp 8090 8090

access-list outside_in extended permit tcp any object IP_CAMERA eq 8090 log

access-group outside_in in interface outside

Ehh..hope it helps. At least it gave me something to do besides VPN stuff for a while.

kmcintosh78 · February 2013

I am going to try that. Thanks.

kmcintosh78 · February 2013

Running 7.2(4). CLI a little different.

kmcintosh78 · February 2013

Yeah, can't exactly walk it through the ASDM.
This is my first go around with port forwarding like this.

TheNewITGuy · February 2013

7.2

access-list outside_access_in permit tcp any host 10.1.1.1 eq www

static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255

kmcintosh78 · February 2013

TheNewITGuy wrote: »

7.2

access-list outside_access_in permit tcp any host 10.1.1.1 eq www

static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255

Giving me an invalid command for "host".

Legacy User · February 2013

I think I may be able to steer you in the right direction as I currently have a similar topology. There's an ip camera system internal thats behind an asa its accessed on my employers cell phone off net. I'm running 8.2 so the cmds may differ.

Make sure you know all the port numbers associated to the camera system if not it won't pass through

Define the port number

object-group service CAMERA tcp
port-object eq 8090

Create access list

access-list inside_access_in extended permit tcp host 10.0.0.20 any object-group CAMERA

access-group inside_access_in in interface inside

create static nat

static (inside,outside) tcp interface 8090 10.0.0.20 8090 netmask 255.255.255.255

If you still see it blocked look at the real time log while trying to access camera from outside to see what port is being blocked.

I'm running gui 6.4 so it may be slightly different then yours. I'll try to explain it the best I can.

Click on configuration in the top left corner ->click firewall-> click access rules

On the right side there should be 3 tabs named Addresses, Services, and Time ranges if you don't see that click on view in the top left corner and click them. Once you see them

Click Services-> Add ->Type name in Group Name "camera" if you like
-> click the dial for create new member ->type ports your want to create 8090 ->click ok

Click Nat rules on the left -> add static nat rule -> under original->interface inside ->source 10.0.0.20

under translated ->interface outside ->click dial "use interface ip address"

under port address translation (pat)->check off enable pat ->tcp -> original port 8090 translated port 8090 ->click ok

click enable logging -> ok

On the access rule list go under outside and create a new rule

click outside->add access rule -> permit -> source any (or if you have a specific ip address) ->destination (your outside ip address) ->service (name of the new service your created) camera

click inside->add access rule -> permit -> source 10.0.0.20 if the ip address hasn't been added yet-click source
->add-> 10.0.0.20 netmask 255.255.255.255->ok ->destination any->service (name of the new service your created) camera

click apply

Hope this works for you.

Edit: Had to tweek the configs

Legacy User · February 2013

Whats the update? Are you running into any issues?

kmcintosh78 · February 2013

dmarcisco wrote: »

Whats the update? Are you running into any issues?

Been busy with everything else. I am going to work this now and will report back shortly.

kmcintosh78 · February 2013

dmarcisco wrote: »

I'm running gui 6.4 so it may be slightly different then yours. I'll try to explain it the best I can.

Click on configuration in the top left corner ->click firewall-> click access rules

On the right side there should be 3 tabs named Addresses, Services, and Time ranges if you don't see that click on view in the top left corner and click them. Once you see them

Left side is missing on mine. I am running ASDM 6.4.

dmarcisco wrote: »

Click Services-> Add ->Type name in Group Name "camera" if you like
-> click the dial for create new member ->type ports your want to create 8090 ->click ok

I was able to create a new network object, but there is no dial for it.

dmarcisco wrote: »

Click Nat rules on the left -> add static nat rule -> under original->interface inside ->source 10.0.0.20

under translated ->interface outside ->click dial "use interface ip address"

I got this error message
"[WARNING] static (inside,outside) interface 10.1.13.24 netmask 255.255.255.255 tcp 0 0 udp 0
static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled."

dmarcisco wrote: »

under port address translation (pat)->check off enable pat ->tcp -> original port 8090 translated port 8090 ->click ok

click enable logging -> ok

On the access rule list go under outside and create a new rule

click outside->add access rule -> permit -> source any (or if you have a specific ip address) ->destination (your outside ip address) ->service (name of the new service your created) camera

click inside->add access rule -> permit -> source 10.0.0.20 if the ip address hasn't been added yet-click source
->add-> 10.0.0.20 netmask 255.255.255.255->ok ->destination any->service (name of the new service your created) camera

click apply

Hope this works for you.

Edit: Had to tweek the configs

I did not proceed past the NAT config, due to the warning message.

Legacy User · February 2013

Not a network object a service object..Can you create a service object thats where you define the port?

Firewall-->access rules--> service tab on far right or on left go under the firewall directory-->expand objects tab click service groups and add your new port.

How do you have your nat configured?

kmcintosh78 · February 2013

dmarcisco wrote: »

Not a network object a service object..Can you create a service object thats where you define the port?

Firewall-->access rules--> service tab on far right or on left go under the firewall directory-->expand objects tab click service groups and add your new port.

How do you have your nat configured?

I was able to create a new service group.

Do you mean NAT for the firewall as a whole?

Legacy User · February 2013

The way I configured nat it works for me because all the port forwarding was configured exactly same and no other nat configurations were implemented. This is how I configured my nat:

object-group service CAMERA tcp
port-object eq 9000
port-object eq 9001
port-object eq 18004

access-list inside_access_in extended permit tcp host 1.1.2.5 any object-group CAMERA
access-group inside_access_in in interface inside

access-list 100 extended permit tcp any host (outside ip address) object-group CAMERA
access-group 100 in interface outside

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 1.1.2.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 9001 1.1.2.5 9001 netmask 255.255.255.255
static (inside,outside) tcp interface 18004 1.1.2.5 18004 netmask 255.255.255.255
static (inside,outside) tcp interface 9000 1.1.2.5 9000 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 1.1.2.250 pop3 netmask 255.255.255.255

I originally tried something similar to this:

static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255

but it didnt allow me to add more then one static nat entry TAC mentioned for my topology its only best to configure it this way if you have multiple routable ip addresses. In my case I only have one dedicated ip address.

So thats why configuring this way worked for me:

static (inside,outside) tcp interface 9001 1.1.2.5 9001 netmask 255.255.255.255

kmcintosh78 · February 2013

Let me try that .

Also, I don't see anything negative happening from the warning message I received as stated in my above post.

Is there anything that I should be concerned with?

Legacy User · February 2013

Well depending how everything else is configured worst that can happen whatever was previously nat'ed will be removed or overwritten

eten · February 2013

access-list 100 extended permit tcp any host 1.1.2.5 object-group CAMERA

Is this applied inbound on the "inside" or "outside"?

If its applied inbound on the outside, you will need to permit the global IP (public) as ACLs are processed before NAT translation for pre 8.3.

Legacy User · February 2013

Edit: I made correction on my last config realized I copied the wrong config.

kmcintosh78 · February 2013

OH YEAH!!!!! You are the Man!!!

Thanks again.

I love this site and all the people here. '

Legacy User · February 2013

Cool beans! Now everyone can have a reference because when I was trying to do the exact same thing 2 months back couldn't find any information on it. Glad it worked

kmcintosh78 · February 2013

I think I will post the steps for the GUI in the manner that we walked through it.
Should be in about an hour or so.

kmcintosh78 · February 2013

This is for implementing outside access to an IP camera on a small,flat network. The network has a single Outside/Public IP and 2 VLANS, one for Data one for VoIP which is tunneled to a Corporate Site.

IP Camera is set as 10.1.13.24 with the interface Port for Admin set to 8090.

Create a Network Object of the Camera
Config, Firewall, Objects, Network Objects/Groups, Add Network Object.
Name: IP-Camera
Address 10.1.13.24
Subnet: 255.255.255.255

Create a Service Object
Config, Firewall, Objects, Service objects, Add TCP Service Group
Group Name: IP-Camera
Check "create New Member" enter "8090"
Check "add"

Create ACLs
Config, Firewall, Access Control List, Add Access Rule
Check Inside
Permit
Source "IP-Camera"
Destination "any"

Config, Firewall, Access Control List, Add Access Rule
Check Outside
Permit
Source "any"
Destination "**enter the IP of the outside interface**"

Create NAT
Config, Firewall, NAT Rules, ADD Static NAT Rules
Original
Interface "inside"
Source "IP-Camera"
Translated
Interface 'outside"
Check "Use Interface Ip Address"
PAT
Check enable PAT
Original Port "8090"
Translated Port "8090"

Check your ability to access the IP camera.

Need assistance. IP Camera behind Cisco ASA.

Comments