Solved

PIX portforward for security camera's  DVR

Posted on 2010-09-16
17
1,605 Views
Last Modified: 2012-08-13
Hi,
 We bought a DVR (q-see model qs218) and for remote management it ask us to forward ports 80 (i changed to 82) 15962 and 9000 from the router/firewall the DVR is attached to, to the internal ip address of the dvr. We have a PIX 6.0, what command can I use to do this? Or can it be done thru PDM?

Thanks,
Art
0
Comment
Question by:kaosmadness
  • 8
  • 6
  • 3
17 Comments
 

Accepted Solution

by:
Kalmeradmin earned 250 total points
ID: 33695410
You will need to allow the ports in via ACL, apply the ACL to the outside interface, and then use Static Nat to translate.

ACL (Access-group named inbound; you can name it whatever you want or add lines to existing group):
access-list inbound permit tcp any host "your outside IP Address" eq 82
access-list inbound permit tcp any host "your outside IP Address" eq 15962
access-list inbound permit tcp any host "your outside IP Address" eq 9000

Static NAT Rules:
static (inside,outside) tcp "Your Outside IP Address" 82 "Internal IP of DVR" 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Your Outside IP Address" 15962 "Internal IP of DVR" 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Your Outside IP Address" 9000 "Internal IP of DVR" 9000 netmask 255.255.255.255 0 0

ACL Applied to Interface:
access-group inbound in interface outside

hope this helps
0
 

Author Comment

by:kaosmadness
ID: 33696562
Thanks! on our out side interface we are using subnet 255.255.255.240 and 255.255.0.0 in when I run show int . Should i use those subnets instead? I cant get into the device by any outside means.
0
 

Expert Comment

by:Kalmeradmin
ID: 33696685
If for example your outside IP address is 68.98.78.58 and the DVR IP address is 10.10.10.2 then your Static NAT should look like this:

static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0

The netmask only specifies one to one in this paticular case and doesn't have anything to do with the subnet masks of the internal or external subnets.

Also if you are trying to get in from the outside and you have changed the port from 80 to 82 then you need to specify that in the address bar.  

Example:

http://68.98.78.58:82

If you still have problems then try to post your config and just take out the IP info private to your establishment.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kaosmadness
ID: 33697487
I just brought up the points to 500 since i think it merrits that! Thanks again.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 250 total points
ID: 33699232
one thing u need to be aware if you use your outside interface ip address for that
e.g. this line
static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0

lets assume this 68.98.78.58 82 is your pix interface ip

then the static is different, you have to use the word interface instead of the actual ip

static (inside,outside) tcp interface 82 10.10.10.2 82 netmask 255.255.255.255 0 0
0
 

Author Comment

by:kaosmadness
ID: 33704219
Hi, thanks for everything. I still can not get to the device from the outside, i can get to it from with in the LAN so I dont think outside traffic is being routed to the inside port. Here is what i typed:

access-list inbound permit tcp any host 12.68.X.X eq 82
access-list inbound permit udp any host 12.68.X.X eq 82
access-list inbound permit tcp any host 12.68.X.X eq 15962
access-list inbound permit udp any host 12.68.X.X eq 15962
access-list inbound permit tcp any host 12.68.X.X eq 9000
access-list inbound permit udp any host 12.68.X.X eq 9000
static (inside, outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside

Any ideas what i might have donw wrong?

Thanks,
Art
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33704501
hm, ok if you use the interface ip, try changing the access-list to either interface instead of host 12.68.X.X eq
or just try any any
e.g.
access-list inbound permit tcp any interface eq 82
access-list inbound permit tcp any any eq 82
and all the others too.
i know on my Pix/ASA i use any for the interface ip to port forward
0
 

Author Comment

by:kaosmadness
ID: 33705222
Hi,

I still can not get into it. I used any any. Should the static route be static (inside, outside) or (outside, inside)??

Thanks,
Art
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33705235
its (inside,outside) but it depends on what you named your interface, can you post your config (fake the public ip)
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33705255
oh and of course, if the ?CAM is in your LAN, you cannot use the Public IP from inside your network to test that
also make sure it has a default gateway to the ASA interface IP , the inside one
0
 

Author Comment

by:kaosmadness
ID: 33705270
: Saved
: Written by enable_15 at 13:31:10.210 UTC Fri Sep 17 2010
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X0tU6CWeV4K5qK2y encrypted
passwd 8/q3sC7zeAVvJokJ encrypted
hostname cisco-pix
domain-name sheraton.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq 1433
access-list 100 permit tcp any any eq 1434
access-list 100 permit udp any any eq 1434
access-list 100 permit udp any any eq 1433
access-list any permit tcp any any eq 1433
access-list any permit udp any any eq 1434
access-list 300 permit ip any any
access-list inbound permit tcp any any eq 82
access-list inbound permit tcp any any eq 15962
access-list inbound permit tcp any any eq 9000
pager lines 20
logging on    
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 12.68.X.X 255.255.255.240
ip address inside 10.63.104.11 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.63.104.253 255.255.255.255 inside
pdm location 10.63.104.0 255.255.255.0 inside
pdm location 10.63.104.227 255.255.255.255 inside
pdm location 12.x.X.X 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group 300 in interface inside
route outside 0.0.0.0 0.0.0.0 12.68.113.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.63.104.253 255.255.255.255 inside
http 10.63.104.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.63.104.253 255.255.255.255 inside
ssh 10.63.104.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username XXXX password EUhbZXKWigcQCm0m encrypted privilege 15
terminal width 80
Cryptochecksum:7576007370f717fa6d5970111f5595a8
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33705329
Ok, your config is ok, seems like the problem is somewhere else
is the DVR's gateway set to 10.63.104.11 ?
and if you access it from inside your network, do you do that also with port 82?
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33705373
also add the following to the access-list lines

access-list inbound permit tcp any any eq 82 log 4
access-list inbound permit tcp any any eq 15962 log 4
access-list inbound permit tcp any any eq 9000 log 4

no you will see in your logg if you access it from the outside cause it will log it.
But remember, you CANNOT test this from INSIDE your LAN
you have to be on a different connection to access that DVR from the internet
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33705384
if there is supposed to be a web application manager coming up, then it does work, i just tested it
0
 

Expert Comment

by:Kalmeradmin
ID: 33705435
Yea it looks like it is working.
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33705469
pshhh , good, at least we are done :) right?
0
 

Author Comment

by:kaosmadness
ID: 33705799
Yes it is thank you both!!!!!
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Turn off SIP ALG - Cisco ASA 5505 1 71
Cisco Router / Switch - NAT 10 43
CISCO ATA 190 using PRI DID number 6 40
Connecting a New Subnet to Network 4 28
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video teaches viewers how to process images for a time-lapse video. Programs required: Adobe Lightroom, Adobe After Effects, Video Editing Program. In Adobe Lightroom: Import sequence image files into Adobe Lightroom: Develop settings of an I…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question