Solved

Need to Access a network camera on internal network from external network

Posted on 2008-09-29
14
578 Views
Last Modified: 2012-06-27
I have a network camera in my test fixture area that I would like a customers to be able to view.  The camera is set for port 80.  I have tried port forwarding by typing the following:

static (inside,outside2) tcp interface 80 192.168.3.120 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 80

I still cannot access camera from outside network.  Any suggesions would be greatly appreciated.
0
Comment
Question by:krhoades7601
  • 4
  • 3
  • 3
  • +3
14 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 22602025
You'll probably need to post the entire config to determine what the problem is.
Of course, redact public IPs and any other sensitive info.
0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 22602038
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22602469
192 is a internal number only. You are going to have to have a NAT address that points to that internal address. You will need to use that NAT address to reach the camera from an external network. 192 class numbers are not valid external network or internet ip addresses. You can do a reverse IP lookup or contact your internet provider to find out what the NAT address is.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22602562
The static and the access-list are correct.
Check the default gateway setup on the camera
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22602720
I've got to ask, but can you access the camera from the inside network?
0
 

Author Comment

by:krhoades7601
ID: 22603849
I checked the default gateway of the camera and it is set properly.  I can access the network internally by typing http://192.168.3.120 in my browser and it comes up.  I will supply a copy of the running configuration once I get to work.  Thank you for the response.  Hopefully, I can get this working today.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22604803
static (inside,outside2)
                           ^^^
You have multiple outside interfaces?
I'm curious to see the running config to see where your firewall's default route goes...
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Expert Comment

by:smittyboom
ID: 22604896
if your trying to type a 192 class # from the internet to see your camera it will never work!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22605602
That is right - make sure you are accessing with your public IP address: you can find it by going to http://whatsmyip.org/ and looking at the top of the screen.
Cheers!
0
 

Author Comment

by:krhoades7601
ID: 22605699
Okay!  Below is my configuration.  Sorry it took me so long.  

ASA Version 7.2(4)
!
hostname portland
domain-name xyy.com
enable password
names
name 9..10.11.12 Dayton-Outside
name 192.168.1.0 Dayton-Inside
name 192.168.3.188 Trixbox
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 5.6.7.8 255.255.255.192
 ospf cost 10
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 ospf cost 10
!
interface Vlan4
 nameif outside2
 security-level 0
 ip address 1.2.3.4 255.255.255.252
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 4
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
banner motd
banner motd    #########################################################################
banner motd    #                                                                       #
banner motd    # This system is for the use of authorized users only. Individuals      #
banner motd    # using this computer system without authority, or in excess of their   #
banner motd    # authority, are subject to having all of their activities on this      #
banner motd    # system monitored and recorded by system personnel.                    #
banner motd    #                                                                       #
banner motd    # In the course of monitoring individuals improperly using this system, #
banner motd    # or in the course of system maintenance, the activities of authorized  #
banner motd    # users may also be monitored.                                          #
banner motd    #                                                                       #
banner motd    # Anyone using this system expressly consents to such monitoring and    #
banner motd    # is advised that if such monitoring reveals possible evidence of       #
banner motd    # criminal activity, system personnel may provide the evidence of such  #
banner motd    # monitoring to law enforcement officials.                              #
banner motd    #                                                                       #
banner motd    #########################################################################
banner motd
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xyz.com
object-group service Port_4445 tcp
 port-object eq 4445
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp host 198.30.92.2 eq ntp any eq ntp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list priority-servers remark Add Here Destination Server IPs Requiring QoS
access-list priority-servers remark Including Both Local and Remote Servers
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.15
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.168
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.3
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.249
pager lines 24
logging enable
logging timestamp
logging buffer-size 10240
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm notifications
logging mail critical
logging from-address krhoades@xyz.com
logging recipient-address ciscogroup@xyz.com level critical
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu outside2 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface outside2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any outside2
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside2) tcp interface www 192.168.3.120 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface outside2
route outside2 0.0.0.0 0.0.0.0 75.149.90.150 1 track 1
route outside 0.0.0.0 0.0.0.0 67.76.200.129 254
timeout xlate 0:05:00
timeout conn 168:00:00 half-closed 0:10:00 udp 0:05:00 icmp 0:00:30
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside2
http 0.0.0.0 0.0.0.0 outside
http 192.168.3.0 255.255.255.0 inside
snmp-server host outside2 64.56.116.1 poll community 22vgX
no snmp-server location
no snmp-server contact
snmp-server community 22vgX
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 64.56.105.122 interface outside2
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.56.105.122
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 300
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto isakmp enable outside
crypto isakmp enable outside2
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp nat-traversal  20
!
track 1 rtr 123 reachability
telnet Dayton-Inside 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
console timeout 30

priority-queue outside
priority-queue inside
priority-queue outside2
ntp server 198.30.92.2
tftp-server inside 192.168.3.15 portland
username kiwi password ASOXfjPZd36TNPQ0 encrypted privilege 15
username krhoades password LlrRyUI2rrVkfZ3L encrypted privilege 15
username cisco500 password NivFZqUgthCHah0J encrypted privilege 15
username lwasserman password KYuqqyXdd2qDeHmF encrypted privilege 15
username tims password 8woCmo9cVKF6J5Tx encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group 64.56.105.122 type ipsec-l2l
tunnel-group 64.56.105.122 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
!
class-map SIP
 description For SIP Ports
 match port udp range sip 5061
class-map SERVERS
 description For Critical Servers
 match access-list priority-servers
class-map IAX2
 description For IAX2 Support
 match port udp eq 4569
class-map inspection_default
 match default-inspection-traffic
class-map SIP-SUP
 description For SIP Support
 match port udp range 10000 20000
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
  inspect icmp
policy-map QoS-Policy
 description Port_5038
 class SIP
  priority
 class IAX2
  priority
 class SIP-SUP
  priority
 class SERVERS
  priority
!
service-policy global_policy global
service-policy QoS-Policy interface outside
service-policy QoS-Policy interface inside
service-policy QoS-Policy interface outside2
smtp-server 64.56.96.44
prompt hostname context
Cryptochecksum:4cc958588adc046355463096c83b76e4
: end
asdm image disk0:/asdm-524.bin
asdm location Dayton-Inside 255.255.255.0 inside
asdm location Dayton-Outside 255.255.255.248 outside
asdm location Dayton-Inside 255.255.255.0 outside
asdm location Trixbox 255.255.255.255 inside
asdm history enable
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22605811
>access-list outside_access_in extended permit tcp any interface outside eq www

Add:
access-list outside_access_in extended permit tcp any interface outside2 eq www
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22605835
Once again. Are you trying to access this camera using the 192 address from a external network?
Once again. If you are then this WILL NOT WORK.
0
 

Author Closing Comment

by:krhoades7601
ID: 31501419
Thank you soooo much!  You rock.  It finally works!!!!  Thank you Thank you Thank you!!!
0
 

Author Comment

by:krhoades7601
ID: 22606128
I tested it from an outside network and it works!!!!  I am so happy!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now