Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!
PIX portforward for security camera's DVR
Hi,
We bought a DVR (q-see model qs218) and for remote management it ask us to forward ports 80 (i changed to 82) 15962 and 9000 from the router/firewall the DVR is attached to, to the internal ip address of the dvr. We have a PIX 6.0, what command can I use to do this? Or can it be done thru PDM?
Thanks,
Art
We bought a DVR (q-see model qs218) and for remote management it ask us to forward ports 80 (i changed to 82) 15962 and 9000 from the router/firewall the DVR is attached to, to the internal ip address of the dvr. We have a PIX 6.0, what command can I use to do this? Or can it be done thru PDM?
Thanks,
Art
Asked:
8-
6
3
2 Solutions
Thanks! on our out side interface we are using subnet 255.255.255.240 and 255.255.0.0 in when I run show int . Should i use those subnets instead? I cant get into the device by any outside means.
If for example your outside IP address is 68.98.78.58 and the DVR IP address is 10.10.10.2 then your Static NAT should look like this:
static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0
The netmask only specifies one to one in this paticular case and doesn't have anything to do with the subnet masks of the internal or external subnets.
Also if you are trying to get in from the outside and you have changed the port from 80 to 82 then you need to specify that in the address bar.
Example:
http://68.98.78.58:82
If you still have problems then try to post your config and just take out the IP info private to your establishment.
static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0
The netmask only specifies one to one in this paticular case and doesn't have anything to do with the subnet masks of the internal or external subnets.
Also if you are trying to get in from the outside and you have changed the port from 80 to 82 then you need to specify that in the address bar.
Example:
http://68.98.78.58:82
If you still have problems then try to post your config and just take out the IP info private to your establishment.
one thing u need to be aware if you use your outside interface ip address for that
e.g. this line
static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0
lets assume this 68.98.78.58 82 is your pix interface ip
then the static is different, you have to use the word interface instead of the actual ip
static (inside,outside) tcp interface 82 10.10.10.2 82 netmask 255.255.255.255 0 0
e.g. this line
static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0
lets assume this 68.98.78.58 82 is your pix interface ip
then the static is different, you have to use the word interface instead of the actual ip
static (inside,outside) tcp interface 82 10.10.10.2 82 netmask 255.255.255.255 0 0
Hi, thanks for everything. I still can not get to the device from the outside, i can get to it from with in the LAN so I dont think outside traffic is being routed to the inside port. Here is what i typed:
access-list inbound permit tcp any host 12.68.X.X eq 82
access-list inbound permit udp any host 12.68.X.X eq 82
access-list inbound permit tcp any host 12.68.X.X eq 15962
access-list inbound permit udp any host 12.68.X.X eq 15962
access-list inbound permit tcp any host 12.68.X.X eq 9000
access-list inbound permit udp any host 12.68.X.X eq 9000
static (inside, outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside
Any ideas what i might have donw wrong?
Thanks,
Art
access-list inbound permit tcp any host 12.68.X.X eq 82
access-list inbound permit udp any host 12.68.X.X eq 82
access-list inbound permit tcp any host 12.68.X.X eq 15962
access-list inbound permit udp any host 12.68.X.X eq 15962
access-list inbound permit tcp any host 12.68.X.X eq 9000
access-list inbound permit udp any host 12.68.X.X eq 9000
static (inside, outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside
Any ideas what i might have donw wrong?
Thanks,
Art
hm, ok if you use the interface ip, try changing the access-list to either interface instead of host 12.68.X.X eq
or just try any any
e.g.
access-list inbound permit tcp any interface eq 82
access-list inbound permit tcp any any eq 82
and all the others too.
i know on my Pix/ASA i use any for the interface ip to port forward
or just try any any
e.g.
access-list inbound permit tcp any interface eq 82
access-list inbound permit tcp any any eq 82
and all the others too.
i know on my Pix/ASA i use any for the interface ip to port forward
Hi,
I still can not get into it. I used any any. Should the static route be static (inside, outside) or (outside, inside)??
Thanks,
Art
I still can not get into it. I used any any. Should the static route be static (inside, outside) or (outside, inside)??
Thanks,
Art
its (inside,outside) but it depends on what you named your interface, can you post your config (fake the public ip)
oh and of course, if the ?CAM is in your LAN, you cannot use the Public IP from inside your network to test that
also make sure it has a default gateway to the ASA interface IP , the inside one
also make sure it has a default gateway to the ASA interface IP , the inside one
: Saved
: Written by enable_15 at 13:31:10.210 UTC Fri Sep 17 2010
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X0tU6CWeV4K5qK2y encrypted
passwd 8/q3sC7zeAVvJokJ encrypted
hostname cisco-pix
domain-name sheraton.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq 1433
access-list 100 permit tcp any any eq 1434
access-list 100 permit udp any any eq 1434
access-list 100 permit udp any any eq 1433
access-list any permit tcp any any eq 1433
access-list any permit udp any any eq 1434
access-list 300 permit ip any any
access-list inbound permit tcp any any eq 82
access-list inbound permit tcp any any eq 15962
access-list inbound permit tcp any any eq 9000
pager lines 20
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 12.68.X.X 255.255.255.240
ip address inside 10.63.104.11 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.63.104.253 255.255.255.255 inside
pdm location 10.63.104.0 255.255.255.0 inside
pdm location 10.63.104.227 255.255.255.255 inside
pdm location 12.x.X.X 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group 300 in interface inside
route outside 0.0.0.0 0.0.0.0 12.68.113.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.63.104.253 255.255.255.255 inside
http 10.63.104.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.63.104.253 255.255.255.255 inside
ssh 10.63.104.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username XXXX password EUhbZXKWigcQCm0m encrypted privilege 15
terminal width 80
Cryptochecksum:7576007370f
: Written by enable_15 at 13:31:10.210 UTC Fri Sep 17 2010
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X0tU6CWeV4K5qK2y encrypted
passwd 8/q3sC7zeAVvJokJ encrypted
hostname cisco-pix
domain-name sheraton.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq 1433
access-list 100 permit tcp any any eq 1434
access-list 100 permit udp any any eq 1434
access-list 100 permit udp any any eq 1433
access-list any permit tcp any any eq 1433
access-list any permit udp any any eq 1434
access-list 300 permit ip any any
access-list inbound permit tcp any any eq 82
access-list inbound permit tcp any any eq 15962
access-list inbound permit tcp any any eq 9000
pager lines 20
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 12.68.X.X 255.255.255.240
ip address inside 10.63.104.11 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.63.104.253 255.255.255.255 inside
pdm location 10.63.104.0 255.255.255.0 inside
pdm location 10.63.104.227 255.255.255.255 inside
pdm location 12.x.X.X 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group 300 in interface inside
route outside 0.0.0.0 0.0.0.0 12.68.113.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.63.104.253 255.255.255.255 inside
http 10.63.104.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.63.104.253 255.255.255.255 inside
ssh 10.63.104.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username XXXX password EUhbZXKWigcQCm0m encrypted privilege 15
terminal width 80
Cryptochecksum:7576007370f
Ok, your config is ok, seems like the problem is somewhere else
is the DVR's gateway set to 10.63.104.11 ?
and if you access it from inside your network, do you do that also with port 82?
is the DVR's gateway set to 10.63.104.11 ?
and if you access it from inside your network, do you do that also with port 82?
also add the following to the access-list lines
access-list inbound permit tcp any any eq 82 log 4
access-list inbound permit tcp any any eq 15962 log 4
access-list inbound permit tcp any any eq 9000 log 4
no you will see in your logg if you access it from the outside cause it will log it.
But remember, you CANNOT test this from INSIDE your LAN
you have to be on a different connection to access that DVR from the internet
access-list inbound permit tcp any any eq 82 log 4
access-list inbound permit tcp any any eq 15962 log 4
access-list inbound permit tcp any any eq 9000 log 4
no you will see in your logg if you access it from the outside cause it will log it.
But remember, you CANNOT test this from INSIDE your LAN
you have to be on a different connection to access that DVR from the internet
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
ACL (Access-group named inbound; you can name it whatever you want or add lines to existing group):
access-list inbound permit tcp any host "your outside IP Address" eq 82
access-list inbound permit tcp any host "your outside IP Address" eq 15962
access-list inbound permit tcp any host "your outside IP Address" eq 9000
Static NAT Rules:
static (inside,outside) tcp "Your Outside IP Address" 82 "Internal IP of DVR" 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Your Outside IP Address" 15962 "Internal IP of DVR" 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Your Outside IP Address" 9000 "Internal IP of DVR" 9000 netmask 255.255.255.255 0 0
ACL Applied to Interface:
access-group inbound in interface outside
hope this helps