Need to Access a network camera on internal network from external network
I have a network camera in my test fixture area that I would like a customers to be able to view. The camera is set for port 80. I have tried port forwarding by typing the following:
static (inside,outside2) tcp interface 80 192.168.3.120 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 80
I still cannot access camera from outside network. Any suggesions would be greatly appreciated.
static (inside,outside2) tcp interface 80 192.168.3.120 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 80
I still cannot access camera from outside network. Any suggesions would be greatly appreciated.
192 is a internal number only. You are going to have to have a NAT address that points to that internal address. You will need to use that NAT address to reach the camera from an external network. 192 class numbers are not valid external network or internet ip addresses. You can do a reverse IP lookup or contact your internet provider to find out what the NAT address is.
The static and the access-list are correct.
Check the default gateway setup on the camera
Check the default gateway setup on the camera
I've got to ask, but can you access the camera from the inside network?
ASKER
I checked the default gateway of the camera and it is set properly. I can access the network internally by typing http://192.168.3.120 in my browser and it comes up. I will supply a copy of the running configuration once I get to work. Thank you for the response. Hopefully, I can get this working today.
static (inside,outside2)
^^^
You have multiple outside interfaces?
I'm curious to see the running config to see where your firewall's default route goes...
^^^
You have multiple outside interfaces?
I'm curious to see the running config to see where your firewall's default route goes...
if your trying to type a 192 class # from the internet to see your camera it will never work!
That is right - make sure you are accessing with your public IP address: you can find it by going to http://whatsmyip.org/ and looking at the top of the screen.
Cheers!
Cheers!
ASKER
Okay! Below is my configuration. Sorry it took me so long.
ASA Version 7.2(4)
!
hostname portland
domain-name xyy.com
enable password
names
name 9..10.11.12 Dayton-Outside
name 192.168.1.0 Dayton-Inside
name 192.168.3.188 Trixbox
!
interface Vlan2
nameif outside
security-level 0
ip address 5.6.7.8 255.255.255.192
ospf cost 10
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
ospf cost 10
!
interface Vlan4
nameif outside2
security-level 0
ip address 1.2.3.4 255.255.255.252
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
banner motd
banner motd ##########################
banner motd # #
banner motd # This system is for the use of authorized users only. Individuals #
banner motd # using this computer system without authority, or in excess of their #
banner motd # authority, are subject to having all of their activities on this #
banner motd # system monitored and recorded by system personnel. #
banner motd # #
banner motd # In the course of monitoring individuals improperly using this system, #
banner motd # or in the course of system maintenance, the activities of authorized #
banner motd # users may also be monitored. #
banner motd # #
banner motd # Anyone using this system expressly consents to such monitoring and #
banner motd # is advised that if such monitoring reveals possible evidence of #
banner motd # criminal activity, system personnel may provide the evidence of such #
banner motd # monitoring to law enforcement officials. #
banner motd # #
banner motd ##########################
banner motd
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xyz.com
object-group service Port_4445 tcp
port-object eq 4445
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp host 198.30.92.2 eq ntp any eq ntp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list priority-servers remark Add Here Destination Server IPs Requiring QoS
access-list priority-servers remark Including Both Local and Remote Servers
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.15
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.168
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.3
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.249
pager lines 24
logging enable
logging timestamp
logging buffer-size 10240
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm notifications
logging mail critical
logging from-address krhoades@xyz.com
logging recipient-address ciscogroup@xyz.com level critical
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu outside2 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface outside2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any outside2
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside2) tcp interface www 192.168.3.120 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface outside2
route outside2 0.0.0.0 0.0.0.0 75.149.90.150 1 track 1
route outside 0.0.0.0 0.0.0.0 67.76.200.129 254
timeout xlate 0:05:00
timeout conn 168:00:00 half-closed 0:10:00 udp 0:05:00 icmp 0:00:30
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside2
http 0.0.0.0 0.0.0.0 outside
http 192.168.3.0 255.255.255.0 inside
snmp-server host outside2 64.56.116.1 poll community 22vgX
no snmp-server location
no snmp-server contact
snmp-server community 22vgX
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 64.56.105.122 interface outside2
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.56.105.122
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 300
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto isakmp enable outside
crypto isakmp enable outside2
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 20
!
track 1 rtr 123 reachability
telnet Dayton-Inside 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
console timeout 30
priority-queue outside
priority-queue inside
priority-queue outside2
ntp server 198.30.92.2
tftp-server inside 192.168.3.15 portland
username kiwi password ASOXfjPZd36TNPQ0 encrypted privilege 15
username krhoades password LlrRyUI2rrVkfZ3L encrypted privilege 15
username cisco500 password NivFZqUgthCHah0J encrypted privilege 15
username lwasserman password KYuqqyXdd2qDeHmF encrypted privilege 15
username tims password 8woCmo9cVKF6J5Tx encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 64.56.105.122 type ipsec-l2l
tunnel-group 64.56.105.122 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map SIP
description For SIP Ports
match port udp range sip 5061
class-map SERVERS
description For Critical Servers
match access-list priority-servers
class-map IAX2
description For IAX2 Support
match port udp eq 4569
class-map inspection_default
match default-inspection-traffic
class-map SIP-SUP
description For SIP Support
match port udp range 10000 20000
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
policy-map QoS-Policy
description Port_5038
class SIP
priority
class IAX2
priority
class SIP-SUP
priority
class SERVERS
priority
!
service-policy global_policy global
service-policy QoS-Policy interface outside
service-policy QoS-Policy interface inside
service-policy QoS-Policy interface outside2
smtp-server 64.56.96.44
prompt hostname context
Cryptochecksum:4cc958588ad
: end
asdm image disk0:/asdm-524.bin
asdm location Dayton-Inside 255.255.255.0 inside
asdm location Dayton-Outside 255.255.255.248 outside
asdm location Dayton-Inside 255.255.255.0 outside
asdm location Trixbox 255.255.255.255 inside
asdm history enable
ASA Version 7.2(4)
!
hostname portland
domain-name xyy.com
enable password
names
name 9..10.11.12 Dayton-Outside
name 192.168.1.0 Dayton-Inside
name 192.168.3.188 Trixbox
!
interface Vlan2
nameif outside
security-level 0
ip address 5.6.7.8 255.255.255.192
ospf cost 10
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
ospf cost 10
!
interface Vlan4
nameif outside2
security-level 0
ip address 1.2.3.4 255.255.255.252
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
banner motd
banner motd ##########################
banner motd # #
banner motd # This system is for the use of authorized users only. Individuals #
banner motd # using this computer system without authority, or in excess of their #
banner motd # authority, are subject to having all of their activities on this #
banner motd # system monitored and recorded by system personnel. #
banner motd # #
banner motd # In the course of monitoring individuals improperly using this system, #
banner motd # or in the course of system maintenance, the activities of authorized #
banner motd # users may also be monitored. #
banner motd # #
banner motd # Anyone using this system expressly consents to such monitoring and #
banner motd # is advised that if such monitoring reveals possible evidence of #
banner motd # criminal activity, system personnel may provide the evidence of such #
banner motd # monitoring to law enforcement officials. #
banner motd # #
banner motd ##########################
banner motd
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xyz.com
object-group service Port_4445 tcp
port-object eq 4445
access-list inside_outbound_nat0_acl extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.3.0 255.255.255.0 Dayton-Inside 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp host 198.30.92.2 eq ntp any eq ntp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list priority-servers remark Add Here Destination Server IPs Requiring QoS
access-list priority-servers remark Including Both Local and Remote Servers
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.15
access-list priority-servers extended permit ip Dayton-Inside 255.255.255.0 host 192.168.3.168
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.3
access-list priority-servers extended permit ip 192.168.3.0 255.255.255.0 host 192.168.1.249
pager lines 24
logging enable
logging timestamp
logging buffer-size 10240
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm notifications
logging mail critical
logging from-address krhoades@xyz.com
logging recipient-address ciscogroup@xyz.com level critical
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu outside2 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface outside2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any outside2
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside2) tcp interface www 192.168.3.120 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface outside2
route outside2 0.0.0.0 0.0.0.0 75.149.90.150 1 track 1
route outside 0.0.0.0 0.0.0.0 67.76.200.129 254
timeout xlate 0:05:00
timeout conn 168:00:00 half-closed 0:10:00 udp 0:05:00 icmp 0:00:30
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside2
http 0.0.0.0 0.0.0.0 outside
http 192.168.3.0 255.255.255.0 inside
snmp-server host outside2 64.56.116.1 poll community 22vgX
no snmp-server location
no snmp-server contact
snmp-server community 22vgX
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 64.56.105.122 interface outside2
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.56.105.122
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 300
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto isakmp enable outside
crypto isakmp enable outside2
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 20
!
track 1 rtr 123 reachability
telnet Dayton-Inside 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
console timeout 30
priority-queue outside
priority-queue inside
priority-queue outside2
ntp server 198.30.92.2
tftp-server inside 192.168.3.15 portland
username kiwi password ASOXfjPZd36TNPQ0 encrypted privilege 15
username krhoades password LlrRyUI2rrVkfZ3L encrypted privilege 15
username cisco500 password NivFZqUgthCHah0J encrypted privilege 15
username lwasserman password KYuqqyXdd2qDeHmF encrypted privilege 15
username tims password 8woCmo9cVKF6J5Tx encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 64.56.105.122 type ipsec-l2l
tunnel-group 64.56.105.122 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map SIP
description For SIP Ports
match port udp range sip 5061
class-map SERVERS
description For Critical Servers
match access-list priority-servers
class-map IAX2
description For IAX2 Support
match port udp eq 4569
class-map inspection_default
match default-inspection-traffic
class-map SIP-SUP
description For SIP Support
match port udp range 10000 20000
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
policy-map QoS-Policy
description Port_5038
class SIP
priority
class IAX2
priority
class SIP-SUP
priority
class SERVERS
priority
!
service-policy global_policy global
service-policy QoS-Policy interface outside
service-policy QoS-Policy interface inside
service-policy QoS-Policy interface outside2
smtp-server 64.56.96.44
prompt hostname context
Cryptochecksum:4cc958588ad
: end
asdm image disk0:/asdm-524.bin
asdm location Dayton-Inside 255.255.255.0 inside
asdm location Dayton-Outside 255.255.255.248 outside
asdm location Dayton-Inside 255.255.255.0 outside
asdm location Trixbox 255.255.255.255 inside
asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once again. Are you trying to access this camera using the 192 address from a external network?
Once again. If you are then this WILL NOT WORK.
Once again. If you are then this WILL NOT WORK.
ASKER
Thank you soooo much! You rock. It finally works!!!! Thank you Thank you Thank you!!!
ASKER
I tested it from an outside network and it works!!!! I am so happy!
Of course, redact public IPs and any other sensitive info.