Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

Need to Access a network camera on internal network from external network

I have a network camera in my test fixture area that I would like a customers to be able to view.  The camera is set for port 80.  I have tried port forwarding by typing the following:

static (inside,outside2) tcp interface 80 192.168.3.120 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 80

I still cannot access camera from outside network.  Any suggesions would be greatly appreciated.
0
krhoades7601
Asked:
krhoades7601
  • 4
  • 3
  • 3
  • +3
1 Solution
 
kdearingCommented:
You'll probably need to post the entire config to determine what the problem is.
Of course, redact public IPs and any other sensitive info.
0
 
smittyboomCommented:
192 is a internal number only. You are going to have to have a NAT address that points to that internal address. You will need to use that NAT address to reach the camera from an external network. 192 class numbers are not valid external network or internet ip addresses. You can do a reverse IP lookup or contact your internet provider to find out what the NAT address is.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
lrmooreCommented:
The static and the access-list are correct.
Check the default gateway setup on the camera
0
 
PugglewuggleCommented:
I've got to ask, but can you access the camera from the inside network?
0
 
krhoades7601Author Commented:
I checked the default gateway of the camera and it is set properly.  I can access the network internally by typing http://192.168.3.120 in my browser and it comes up.  I will supply a copy of the running configuration once I get to work.  Thank you for the response.  Hopefully, I can get this working today.
0
 
lrmooreCommented:
static (inside,outside2)
                           ^^^
You have multiple outside interfaces?
I'm curious to see the running config to see where your firewall's default route goes...
0
 
smittyboomCommented:
if your trying to type a 192 class # from the internet to see your camera it will never work!
0
 
PugglewuggleCommented:
That is right - make sure you are accessing with your public IP address: you can find it by going to http://whatsmyip.org/ and looking at the top of the screen.
Cheers!
0
 
krhoades7601Author Commented:
Okay!  Below is my configuration.  Sorry it took me so long.  

ASA Version 7.2(4)
!
hostname portland
domain-name xyy.com
enable password
names
name 9..10.11.12 Dayton-Outside
name 192.168.1.0 Dayton-Inside
name 192.168.3.188 Trixbox
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.6.7.8 255.255.255.192
 ospf cost 10
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 ospf cost 10
!
interface Vlan4
 nameif outside2
 security-level 0
 ip address 1.2.3.4 255.255.255.252
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 4
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
banner motd
banner motd    #########################################################################
banner motd    #                                                                       #
banner motd    # This system is for the use of authorized users only. Individuals      #
banner motd    # using this computer system without authority, or in excess of their   #
banner motd    # authority, are subject to having all of their activities on this      #
banner motd    # system monitored and recorded by system personnel.                    #
banner motd    #                                                                       #
banner motd    # In the course of monitoring individuals improperly using this system, #
banner motd    # or in the course of system maintenance, the activities of authorized  #
banner motd    # users may also be monitored.                                          #
banner motd    #                                                                       #
banner motd    # Anyone using this system expressly consents to such monitoring and    #
banner motd    # is advised that if such monitoring reveals possible evidence of       #
banner motd    # criminal activity, system personnel may provide the evidence of such  #
banner motd    # monitoring to law enforcement officials.                              #
banner motd    #                                                                       #
banner motd    #########################################################################
banner motd
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xyz.com
object-group service Port_4445 tcp
 port-object eq 4445
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp host 198.30.92.2 eq ntp any eq ntp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list priority-servers remark Add Here Destination Server IPs Requiring QoS
access-list priority-servers remark Including Both Local and Remote Servers
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.15
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.168
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.3
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.249
pager lines 24
logging enable
logging timestamp
logging buffer-size 10240
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm notifications
logging mail critical
logging from-address krhoades@xyz.com
logging recipient-address ciscogroup@xyz.com level critical
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu outside2 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface outside2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any outside2
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside2) tcp interface www 192.168.3.120 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface outside2
route outside2 0.0.0.0 0.0.0.0 75.149.90.150 1 track 1
route outside 0.0.0.0 0.0.0.0 67.76.200.129 254
timeout xlate 0:05:00
timeout conn 168:00:00 half-closed 0:10:00 udp 0:05:00 icmp 0:00:30
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside2
http 0.0.0.0 0.0.0.0 outside
http 192.168.3.0 255.255.255.0 inside
snmp-server host outside2 64.56.116.1 poll community 22vgX
no snmp-server location
no snmp-server contact
snmp-server community 22vgX
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 64.56.105.122 interface outside2
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.56.105.122
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 300
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto isakmp enable outside
crypto isakmp enable outside2
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp nat-traversal  20
!
track 1 rtr 123 reachability
telnet Dayton-Inside 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
console timeout 30

priority-queue outside
priority-queue inside
priority-queue outside2
ntp server 198.30.92.2
tftp-server inside 192.168.3.15 portland
username kiwi password ASOXfjPZd36TNPQ0 encrypted privilege 15
username krhoades password LlrRyUI2rrVkfZ3L encrypted privilege 15
username cisco500 password NivFZqUgthCHah0J encrypted privilege 15
username lwasserman password KYuqqyXdd2qDeHmF encrypted privilege 15
username tims password 8woCmo9cVKF6J5Tx encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group 64.56.105.122 type ipsec-l2l
tunnel-group 64.56.105.122 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
!
class-map SIP
 description For SIP Ports
 match port udp range sip 5061
class-map SERVERS
 description For Critical Servers
 match access-list priority-servers
class-map IAX2
 description For IAX2 Support
 match port udp eq 4569
class-map inspection_default
 match default-inspection-traffic
class-map SIP-SUP
 description For SIP Support
 match port udp range 10000 20000
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
  inspect icmp
policy-map QoS-Policy
 description Port_5038
 class SIP
  priority
 class IAX2
  priority
 class SIP-SUP
  priority
 class SERVERS
  priority
!
service-policy global_policy global
service-policy QoS-Policy interface outside
service-policy QoS-Policy interface inside
service-policy QoS-Policy interface outside2
smtp-server 64.56.96.44
prompt hostname context
Cryptochecksum:4cc958588adc046355463096c83b76e4
: end
asdm image disk0:/asdm-524.bin
asdm location Dayton-Inside 255.255.255.0 inside
asdm location Dayton-Outside 255.255.255.248 outside
asdm location Dayton-Inside 255.255.255.0 outside
asdm location Trixbox 255.255.255.255 inside
asdm history enable
0
 
lrmooreCommented:
>access-list outside_access_in extended permit tcp any interface outside eq www

Add:
access-list outside_access_in extended permit tcp any interface outside2 eq www
0
 
smittyboomCommented:
Once again. Are you trying to access this camera using the 192 address from a external network?
Once again. If you are then this WILL NOT WORK.
0
 
krhoades7601Author Commented:
Thank you soooo much!  You rock.  It finally works!!!!  Thank you Thank you Thank you!!!
0
 
krhoades7601Author Commented:
I tested it from an outside network and it works!!!!  I am so happy!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now