Need assistance. IP Camera behind Cisco ASA.

kmcintosh78kmcintosh78 Posts: 195Member
I have installed an IP Camera on the network, which has a Cisco ASA 5505 as the firewall.
I want to enable it so I can login off net.

I understand that I need to identify the port used for GUI, which I believe is 80, but I can change that port. The manufacture suggests it be changed to 8090, which is no problem.

So, from my understanding, I need to enable NAT from the outside IP Port 8090, to the inside IP of the camera.
Static route from the outside IP & Port to the inside IP.

IS that it?
Thanks.
What I am working on
CCNP Route (Currently) 80% done
CCNP Switch (Next Year)
CCNP TShoot (Next Year)

Comments

  • doverdover Posts: 184Member ■■■■□□□□□□
    Hey kmcintosh78,

    I'm not sure what code version you're running but all you really need to do is setup a translation. No need for any static routes or anything.

    This is a config from 8.4(2) I labbed up real quick:
    object network IP_CAMERA
    host 10.0.0.20
    nat (inside,outside) static 55.55.55.55 service tcp www 8090
    
    access-list outside_in extended permit tcp any object IP_CAMERA eq www log
    
    access-group outside_in in interface outside
    

    May not be exactly what you're looking for though...

    The IP camera is 10.0.0.20 on the inside and is mapped to the public address 55.55.55.55 on the outside so you could use your interface IP or an available static in your range.

    Also, it’s doing a little PAT translation listening on port 8090 on the outside and mapping it to the inside port 80 - which you may not want.

    If you set the IP Camera GUI to use port 8090 and don't want the PAT, change the config to:
    object network IP_CAMERA
    host 10.0.0.20
    nat (inside,outside) static 55.55.55.55 service tcp 8090 8090
    
    access-list outside_in extended permit tcp any object IP_CAMERA eq 8090 log
    
    access-group outside_in in interface outside
    

    Ehh..hope it helps. At least it gave me something to do besides VPN stuff for a while.
  • kmcintosh78kmcintosh78 Posts: 195Member
    I am going to try that. Thanks.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Posts: 195Member
    Running 7.2(4). CLI a little different.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Posts: 195Member
    Yeah, can't exactly walk it through the ASDM.
    This is my first go around with port forwarding like this.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • TheNewITGuyTheNewITGuy Posts: 169Member ■■■■□□□□□□
    7.2

    access-list outside_access_in permit tcp any host 10.1.1.1 eq www

    static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255
  • kmcintosh78kmcintosh78 Posts: 195Member
    7.2

    access-list outside_access_in permit tcp any host 10.1.1.1 eq www

    static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255
    Giving me an invalid command for "host".
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    I think I may be able to steer you in the right direction as I currently have a similar topology. There's an ip camera system internal thats behind an asa its accessed on my employers cell phone off net. I'm running 8.2 so the cmds may differ.

    Make sure you know all the port numbers associated to the camera system if not it won't pass through

    Define the port number

    object-group service CAMERA tcp
    port-object eq 8090

    Create access list

    access-list inside_access_in extended permit tcp host 10.0.0.20 any object-group CAMERA

    access-group inside_access_in in interface inside


    create static nat

    static (inside,outside) tcp interface 8090 10.0.0.20 8090 netmask 255.255.255.255

    If you still see it blocked look at the real time log while trying to access camera from outside to see what port is being blocked.


    I'm running gui 6.4 so it may be slightly different then yours. I'll try to explain it the best I can.

    Click on configuration in the top left corner ->click firewall-> click access rules

    On the right side there should be 3 tabs named Addresses, Services, and Time ranges if you don't see that click on view in the top left corner and click them. Once you see them

    Click Services-> Add ->Type name in Group Name "camera" if you like
    -> click the dial for create new member ->type ports your want to create 8090 ->click ok

    Click Nat rules on the left -> add static nat rule -> under original->interface inside ->source 10.0.0.20

    under translated ->interface outside ->click dial "use interface ip address"

    under port address translation (pat)->check off enable pat ->tcp -> original port 8090 translated port 8090 ->click ok

    click enable logging -> ok

    On the access rule list go under outside and create a new rule

    click outside->add access rule -> permit -> source any (or if you have a specific ip address) ->destination (your outside ip address) ->service (name of the new service your created) camera

    click inside->add access rule -> permit -> source 10.0.0.20 if the ip address hasn't been added yet-click source
    ->add-> 10.0.0.20 netmask 255.255.255.255->ok ->destination any->service (name of the new service your created) camera

    click apply

    Hope this works for you.

    Edit: Had to tweek the configs
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Whats the update? Are you running into any issues?
  • kmcintosh78kmcintosh78 Posts: 195Member
    dmarcisco wrote: »
    Whats the update? Are you running into any issues?

    Been busy with everything else. I am going to work this now and will report back shortly.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Posts: 195Member
    dmarcisco wrote: »


    I'm running gui 6.4 so it may be slightly different then yours. I'll try to explain it the best I can.

    Click on configuration in the top left corner ->click firewall-> click access rules

    On the right side there should be 3 tabs named Addresses, Services, and Time ranges if you don't see that click on view in the top left corner and click them. Once you see them
    Left side is missing on mine. I am running ASDM 6.4.
    dmarcisco wrote: »
    Click Services-> Add ->Type name in Group Name "camera" if you like
    -> click the dial for create new member ->type ports your want to create 8090 ->click ok
    I was able to create a new network object, but there is no dial for it.

    dmarcisco wrote: »
    Click Nat rules on the left -> add static nat rule -> under original->interface inside ->source 10.0.0.20

    under translated ->interface outside ->click dial "use interface ip address"
    I got this error message
    "[WARNING] static (inside,outside) interface 10.1.13.24 netmask 255.255.255.255 tcp 0 0 udp 0
    static redirecting all traffics at outside interface;
    WARNING: all services terminating at outside interface are disabled."
    dmarcisco wrote: »
    under port address translation (pat)->check off enable pat ->tcp -> original port 8090 translated port 8090 ->click ok

    click enable logging -> ok

    On the access rule list go under outside and create a new rule

    click outside->add access rule -> permit -> source any (or if you have a specific ip address) ->destination (your outside ip address) ->service (name of the new service your created) camera

    click inside->add access rule -> permit -> source 10.0.0.20 if the ip address hasn't been added yet-click source
    ->add-> 10.0.0.20 netmask 255.255.255.255->ok ->destination any->service (name of the new service your created) camera

    click apply

    Hope this works for you.

    Edit: Had to tweek the configs
    I did not proceed past the NAT config, due to the warning message.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Not a network object a service object..Can you create a service object thats where you define the port?

    Firewall-->access rules--> service tab on far right or on left go under the firewall directory-->expand objects tab click service groups and add your new port.

    How do you have your nat configured?
  • kmcintosh78kmcintosh78 Posts: 195Member
    dmarcisco wrote: »
    Not a network object a service object..Can you create a service object thats where you define the port?

    Firewall-->access rules--> service tab on far right or on left go under the firewall directory-->expand objects tab click service groups and add your new port.

    How do you have your nat configured?
    I was able to create a new service group.

    Do you mean NAT for the firewall as a whole?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    The way I configured nat it works for me because all the port forwarding was configured exactly same and no other nat configurations were implemented. This is how I configured my nat:

    object-group service CAMERA tcp
    port-object eq 9000
    port-object eq 9001
    port-object eq 18004


    access-list inside_access_in extended permit tcp host 1.1.2.5 any object-group CAMERA
    access-group inside_access_in in interface inside

    access-list 100 extended permit tcp any host (outside ip address) object-group CAMERA
    access-group 100 in interface outside

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0

    static (inside,outside) tcp interface smtp 1.1.2.250 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface 9001 1.1.2.5 9001 netmask 255.255.255.255
    static (inside,outside) tcp interface 18004 1.1.2.5 18004 netmask 255.255.255.255
    static (inside,outside) tcp interface 9000 1.1.2.5 9000 netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 1.1.2.250 pop3 netmask 255.255.255.255


    I originally tried something similar to this:

    static (inside,outside) tcp 84.44.22.33 80 10.1.1.1 80 netmask 255.255.255.255

    but it didnt allow me to add more then one static nat entry TAC mentioned for my topology its only best to configure it this way if you have multiple routable ip addresses. In my case I only have one dedicated ip address.

    So thats why configuring this way worked for me:

    static (inside,outside) tcp interface 9001 1.1.2.5 9001 netmask 255.255.255.255
  • kmcintosh78kmcintosh78 Posts: 195Member
    Let me try that .

    Also, I don't see anything negative happening from the warning message I received as stated in my above post.

    Is there anything that I should be concerned with?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Well depending how everything else is configured worst that can happen whatever was previously nat'ed will be removed or overwritten
  • eteneten Posts: 67Member ■■□□□□□□□□
    access-list 100 extended permit tcp any host 1.1.2.5 object-group CAMERA

    Is this applied inbound on the "inside" or "outside"?

    If its applied inbound on the outside, you will need to permit the global IP (public) as ACLs are processed before NAT translation for pre 8.3.
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Edit: I made correction on my last config realized I copied the wrong config.
  • kmcintosh78kmcintosh78 Posts: 195Member
    OH YEAH!!!!! You are the Man!!!

    Thanks again.


    I love this site and all the people here. '
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Cool beans! Now everyone can have a reference because when I was trying to do the exact same thing 2 months back couldn't find any information on it. Glad it worked :)
  • kmcintosh78kmcintosh78 Posts: 195Member
    I think I will post the steps for the GUI in the manner that we walked through it.
    Should be in about an hour or so.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Posts: 195Member
    This is for implementing outside access to an IP camera on a small,flat network. The network has a single Outside/Public IP and 2 VLANS, one for Data one for VoIP which is tunneled to a Corporate Site.

    IP Camera is set as 10.1.13.24 with the interface Port for Admin set to 8090.

    Create a Network Object of the Camera
    Config, Firewall, Objects, Network Objects/Groups, Add Network Object.
    Name: IP-Camera
    Address 10.1.13.24
    Subnet: 255.255.255.255

    Create a Service Object
    Config, Firewall, Objects, Service objects, Add TCP Service Group
    Group Name: IP-Camera
    Check "create New Member" enter "8090"
    Check "add"

    Create ACLs
    Config, Firewall, Access Control List, Add Access Rule
    Check Inside
    Permit
    Source "IP-Camera"
    Destination "any"

    Config, Firewall, Access Control List, Add Access Rule
    Check Outside
    Permit
    Source "any"
    Destination "**enter the IP of the outside interface**"

    Create NAT
    Config, Firewall, NAT Rules, ADD Static NAT Rules
    Original
    Interface "inside"
    Source "IP-Camera"
    Translated
    Interface 'outside"
    Check "Use Interface Ip Address"
    PAT
    Check enable PAT
    Original Port "8090"
    Translated Port "8090"

    Check your ability to access the IP camera.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
Sign In or Register to comment.