Cisco asa 5505 not allowing outside TCP Connection

kmcintosh78kmcintosh78 Member Posts: 195
So, I have followed my own notepad instructions to set up access from the outside, to internal IP cameras. I have done this on several ASAs without issue. But, I have tried it on a site that I didn't build out, and can't get a connection.

Can anyone assist me with resolving this?
What I am working on
CCNP Route (Currently) 80% done
CCNP Switch (Next Year)
CCNP TShoot (Next Year)

Comments

  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    Did you look at the logs as you were attempting to connect to the IP camera? That will tell you what is going on. In ASDM just go to "Monitoring" -> "Logging" -> "Logging level: Debugging" -> View.

    What does it say when you try to connect? normally the process:
    1. Setup NAT (object NAT or policy NAT whichever)
    2. Allow via ACL
    3. DONE! icon_pirat.gif
  • kmcintosh78kmcintosh78 Member Posts: 195
    Here are the steps I followed to configure this. I have done this on several others with success every time.

    IP Camera is set as 10.0.4.4 with the interface Port for Admin set to 8090.

    Create a Network Object of the Camera
    Config, Firewall, Objects, Network Objects/Groups, Add Network Object.
    Name: IP-Camera
    Address 10.0.4.4
    Subnet: 255.255.255.255

    Create a Service Object
    Config, Firewall, Objects, Service objects, Add TCP Service Group
    Group Name: IP-Camera
    Check "create New Member" enter "8090"
    Check "add"

    Create ACLs
    Config, Firewall, Access Control List, Add Access Rule
    Check Inside
    Permit
    Source "IP-Camera"
    Destination "any"

    Config, Firewall, Access Control List, Add Access Rule
    Check Outside
    Permit
    Source "any"
    Destination "**enter the IP of the outside interface**"

    Create NAT
    Config, Firewall, NAT Rules, ADD Static NAT Rules
    Original
    Interface "inside"
    Source "IP-Camera"
    Translated
    Interface 'outside"
    Check "Use Interface Ip Address"
    PAT
    Check enable PAT
    Original Port "8090"
    Translated Port "8090"

    Check your ability to access the IP camera.




    Here is the message from the log.
    4 Apr 19 2013 20:25:18 106023 X.X.X.X 60528 Corp-Outside 8090 Deny tcp src outside:X.X.X.X/60528 dst inside:Corp-Outside/8090 by access-group "outside_access_in" [0x2c1c6a65, 0x0]
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    What does outside_access_in look like? Blocking this traffic it would appear.
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    What does outside_access_in look like? Blocking this traffic it would appear.


    access-list outside_access_in extended deny ip any any
    access-list outside_access_in extended permit ip host Boulder-Outside host Corp-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host Boulder-Outside
    access-list outside_access_in extended permit ip host Clearfield-Outside host Corp-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host Clearfield-Outside
    access-list outside_access_in remark equity-corporate domain
    access-list outside_access_in extended permit ip host American-Fork-Outside host Corp-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host American-Fork-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host ST-George-Outside
    access-list outside_access_in extended permit ip host ST-George-Outside host Corp-Outside
    access-list outside_access_in extended permit ip any host Corp-Outside
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    ACLs are black and white. They're considered a Mandatory Access Control because it's literally Mandatory for every packet to follow the rules. The ACEs you have in your outside_access_in are not catching the traffic.

    Maybe you could try adding a more specific ACE: permitting from any to the exact IP of the Camera.

    Also remember: After ASA software release 8.2 the IP that you refer to is the REAL IP not the NAT'd IP.
    ah HA! i just realized that might be your problem. You have "set destination as outside interface IP". The new ASA software changed it to be the real IP of the device you'll be connecting to. Try changing the destination IP to the private IP of the ip camera instead of the outside interface IP on the ACL
  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■□□
    Use the packet tracer feature in ASDM to figure out where in the process it's breaking. If it passes that, it's probably something else causing a problem.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    access-list outside_access_in extended deny ip any any
    access-list outside_access_in extended permit ip host Boulder-Outside host Corp-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host Boulder-Outside
    access-list outside_access_in extended permit ip host Clearfield-Outside host Corp-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host Clearfield-Outside
    access-list outside_access_in remark equity-corporate domain
    access-list outside_access_in extended permit ip host American-Fork-Outside host Corp-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host American-Fork-Outside
    access-list outside_access_in extended permit ip host Corp-Outside host ST-George-Outside
    access-list outside_access_in extended permit ip host ST-George-Outside host Corp-Outside
    access-list outside_access_in extended permit ip any host Corp-Outside

    Umm icon_silent.gif
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • kmcintosh78kmcintosh78 Member Posts: 195
    f0rgiv3n wrote: »
    ACLs are black and white. They're considered a Mandatory Access Control because it's literally Mandatory for every packet to follow the rules. The ACEs you have in your outside_access_in are not catching the traffic.

    Maybe you could try adding a more specific ACE: permitting from any to the exact IP of the Camera.

    Also remember: After ASA software release 8.2 the IP that you refer to is the REAL IP not the NAT'd IP.
    ah HA! i just realized that might be your problem. You have "set destination as outside interface IP". The new ASA software changed it to be the real IP of the device you'll be connecting to. Try changing the destination IP to the private IP of the ip camera instead of the outside interface IP on the ACL

    Tried changing the allow rule and adding a new rule for he actual IP. No dice.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Did you see the deny any at the top that creamy_stew pointed out? Adding allowed statements after the deny aren't going to help!
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    I also tried adding the outside IP I am coming from as an allowed source, still no change.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Did you get rid of the deny any at the top? Or at least move it to the bottom?
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    Did you see the deny any at the top that creamy_stew pointed out? Adding allowed statements after the deny aren't going to help!

    Isn't that the implied deny statement that can't be removed?
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    The implied comes at the end and it doesn't show in the configuration.
    An expert is a man who has made all the mistakes which can be made.
  • kmcintosh78kmcintosh78 Member Posts: 195
    Did you get rid of the deny any at the top? Or at least move it to the bottom?

    I removed it, and put it back, now I can get in. Thanks.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    Can't believe i missed that. :D Good find.
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    Umm icon_silent.gif


    LMAO! BINGO! Scrolled down and saw that and knew someone would catch that one. :D
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
Sign In or Register to comment.