Cisco asa 5505 not allowing outside TCP Connection

So, I have followed my own notepad instructions to set up access from the outside, to internal IP cameras. I have done this on several ASAs without issue. But, I have tried it on a site that I didn't build out, and can't get a connection.

Can anyone assist me with resolving this?

Find more posts tagged with

Comments

f0rgiv3n

Did you look at the logs as you were attempting to connect to the IP camera? That will tell you what is going on. In ASDM just go to "Monitoring" -> "Logging" -> "Logging level: Debugging" -> View.

What does it say when you try to connect? normally the process:
1. Setup NAT (object NAT or policy NAT whichever)
2. Allow via ACL
3. DONE!

kmcintosh78

Here are the steps I followed to configure this. I have done this on several others with success every time.

IP Camera is set as 10.0.4.4 with the interface Port for Admin set to 8090.

Create a Network Object of the Camera
Config, Firewall, Objects, Network Objects/Groups, Add Network Object.
Name: IP-Camera
Address 10.0.4.4
Subnet: 255.255.255.255

Create a Service Object
Config, Firewall, Objects, Service objects, Add TCP Service Group
Group Name: IP-Camera
Check "create New Member" enter "8090"
Check "add"

Create ACLs
Config, Firewall, Access Control List, Add Access Rule
Check Inside
Permit
Source "IP-Camera"
Destination "any"

Config, Firewall, Access Control List, Add Access Rule
Check Outside
Permit
Source "any"
Destination "**enter the IP of the outside interface**"

Create NAT
Config, Firewall, NAT Rules, ADD Static NAT Rules
Original
Interface "inside"
Source "IP-Camera"
Translated
Interface 'outside"
Check "Use Interface Ip Address"
PAT
Check enable PAT
Original Port "8090"
Translated Port "8090"

Check your ability to access the IP camera.

Here is the message from the log.
4 Apr 19 2013 20:25:18 106023 X.X.X.X 60528 Corp-Outside 8090 Deny tcp src outside:X.X.X.X/60528 dst inside:Corp-Outside/8090 by access-group "outside_access_in" [0x2c1c6a65, 0x0]

networker050184

What does outside_access_in look like? Blocking this traffic it would appear.

kmcintosh78

networker050184 wrote: »

What does outside_access_in look like? Blocking this traffic it would appear.

access-list outside_access_in extended deny ip any any
access-list outside_access_in extended permit ip host Boulder-Outside host Corp-Outside
access-list outside_access_in extended permit ip host Corp-Outside host Boulder-Outside
access-list outside_access_in extended permit ip host Clearfield-Outside host Corp-Outside
access-list outside_access_in extended permit ip host Corp-Outside host Clearfield-Outside
access-list outside_access_in remark equity-corporate domain
access-list outside_access_in extended permit ip host American-Fork-Outside host Corp-Outside
access-list outside_access_in extended permit ip host Corp-Outside host American-Fork-Outside
access-list outside_access_in extended permit ip host Corp-Outside host ST-George-Outside
access-list outside_access_in extended permit ip host ST-George-Outside host Corp-Outside
access-list outside_access_in extended permit ip any host Corp-Outside

f0rgiv3n

ACLs are black and white. They're considered a Mandatory Access Control because it's literally Mandatory for every packet to follow the rules. The ACEs you have in your outside_access_in are not catching the traffic.

Maybe you could try adding a more specific ACE: permitting from any to the exact IP of the Camera.

Also remember: After ASA software release 8.2 the IP that you refer to is the REAL IP not the NAT'd IP.
ah HA! i just realized that might be your problem. You have "set destination as outside interface IP". The new ASA software changed it to be the real IP of the device you'll be connecting to. Try changing the destination IP to the private IP of the ip camera instead of the outside interface IP on the ACL

Zartanasaurus

Use the packet tracer feature in ASDM to figure out where in the process it's breaking. If it passes that, it's probably something else causing a problem.

creamy_stew

kmcintosh78 wrote: »

access-list outside_access_in extended deny ip any any
access-list outside_access_in extended permit ip host Boulder-Outside host Corp-Outside
access-list outside_access_in extended permit ip host Corp-Outside host Boulder-Outside
access-list outside_access_in extended permit ip host Clearfield-Outside host Corp-Outside
access-list outside_access_in extended permit ip host Corp-Outside host Clearfield-Outside
access-list outside_access_in remark equity-corporate domain
access-list outside_access_in extended permit ip host American-Fork-Outside host Corp-Outside
access-list outside_access_in extended permit ip host Corp-Outside host American-Fork-Outside
access-list outside_access_in extended permit ip host Corp-Outside host ST-George-Outside
access-list outside_access_in extended permit ip host ST-George-Outside host Corp-Outside
access-list outside_access_in extended permit ip any host Corp-Outside

Umm

kmcintosh78

f0rgiv3n wrote: »

ACLs are black and white. They're considered a Mandatory Access Control because it's literally Mandatory for every packet to follow the rules. The ACEs you have in your outside_access_in are not catching the traffic.

Maybe you could try adding a more specific ACE: permitting from any to the exact IP of the Camera.

Also remember: After ASA software release 8.2 the IP that you refer to is the REAL IP not the NAT'd IP.
ah HA! i just realized that might be your problem. You have "set destination as outside interface IP". The new ASA software changed it to be the real IP of the device you'll be connecting to. Try changing the destination IP to the private IP of the ip camera instead of the outside interface IP on the ACL

Tried changing the allow rule and adding a new rule for he actual IP. No dice.

networker050184

Did you see the deny any at the top that creamy_stew pointed out? Adding allowed statements after the deny aren't going to help!

kmcintosh78

I also tried adding the outside IP I am coming from as an allowed source, still no change.

networker050184

Did you get rid of the deny any at the top? Or at least move it to the bottom?

kmcintosh78

networker050184 wrote: »

Did you see the deny any at the top that creamy_stew pointed out? Adding allowed statements after the deny aren't going to help!

Isn't that the implied deny statement that can't be removed?

networker050184

The implied comes at the end and it doesn't show in the configuration.

kmcintosh78

networker050184 wrote: »

Did you get rid of the deny any at the top? Or at least move it to the bottom?

I removed it, and put it back, now I can get in. Thanks.

f0rgiv3n

Can't believe i missed that.

Good find.

RouteMyPacket

creamy_stew wrote: »

Umm

LMAO! BINGO! Scrolled down and saw that and knew someone would catch that one.