Solved

PIX portforward for security camera's  DVR

Posted on 2010-09-16
17
1,600 Views
Last Modified: 2012-08-13
Hi,
 We bought a DVR (q-see model qs218) and for remote management it ask us to forward ports 80 (i changed to 82) 15962 and 9000 from the router/firewall the DVR is attached to, to the internal ip address of the dvr. We have a PIX 6.0, what command can I use to do this? Or can it be done thru PDM?

Thanks,
Art
0
Comment
Question by:kaosmadness
  • 8
  • 6
  • 3
17 Comments
 

Accepted Solution

by:
Kalmeradmin earned 250 total points
Comment Utility
You will need to allow the ports in via ACL, apply the ACL to the outside interface, and then use Static Nat to translate.

ACL (Access-group named inbound; you can name it whatever you want or add lines to existing group):
access-list inbound permit tcp any host "your outside IP Address" eq 82
access-list inbound permit tcp any host "your outside IP Address" eq 15962
access-list inbound permit tcp any host "your outside IP Address" eq 9000

Static NAT Rules:
static (inside,outside) tcp "Your Outside IP Address" 82 "Internal IP of DVR" 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Your Outside IP Address" 15962 "Internal IP of DVR" 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Your Outside IP Address" 9000 "Internal IP of DVR" 9000 netmask 255.255.255.255 0 0

ACL Applied to Interface:
access-group inbound in interface outside

hope this helps
0
 

Author Comment

by:kaosmadness
Comment Utility
Thanks! on our out side interface we are using subnet 255.255.255.240 and 255.255.0.0 in when I run show int . Should i use those subnets instead? I cant get into the device by any outside means.
0
 

Expert Comment

by:Kalmeradmin
Comment Utility
If for example your outside IP address is 68.98.78.58 and the DVR IP address is 10.10.10.2 then your Static NAT should look like this:

static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0

The netmask only specifies one to one in this paticular case and doesn't have anything to do with the subnet masks of the internal or external subnets.

Also if you are trying to get in from the outside and you have changed the port from 80 to 82 then you need to specify that in the address bar.  

Example:

http://68.98.78.58:82

If you still have problems then try to post your config and just take out the IP info private to your establishment.
0
 

Author Comment

by:kaosmadness
Comment Utility
I just brought up the points to 500 since i think it merrits that! Thanks again.
0
 
LVL 5

Assisted Solution

by:shirkan
shirkan earned 250 total points
Comment Utility
one thing u need to be aware if you use your outside interface ip address for that
e.g. this line
static (inside,outside) tcp 68.98.78.58 82 10.10.10.2 82 netmask 255.255.255.255 0 0

lets assume this 68.98.78.58 82 is your pix interface ip

then the static is different, you have to use the word interface instead of the actual ip

static (inside,outside) tcp interface 82 10.10.10.2 82 netmask 255.255.255.255 0 0
0
 

Author Comment

by:kaosmadness
Comment Utility
Hi, thanks for everything. I still can not get to the device from the outside, i can get to it from with in the LAN so I dont think outside traffic is being routed to the inside port. Here is what i typed:

access-list inbound permit tcp any host 12.68.X.X eq 82
access-list inbound permit udp any host 12.68.X.X eq 82
access-list inbound permit tcp any host 12.68.X.X eq 15962
access-list inbound permit udp any host 12.68.X.X eq 15962
access-list inbound permit tcp any host 12.68.X.X eq 9000
access-list inbound permit udp any host 12.68.X.X eq 9000
static (inside, outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside, outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside

Any ideas what i might have donw wrong?

Thanks,
Art
0
 
LVL 5

Expert Comment

by:shirkan
Comment Utility
hm, ok if you use the interface ip, try changing the access-list to either interface instead of host 12.68.X.X eq
or just try any any
e.g.
access-list inbound permit tcp any interface eq 82
access-list inbound permit tcp any any eq 82
and all the others too.
i know on my Pix/ASA i use any for the interface ip to port forward
0
 

Author Comment

by:kaosmadness
Comment Utility
Hi,

I still can not get into it. I used any any. Should the static route be static (inside, outside) or (outside, inside)??

Thanks,
Art
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 5

Expert Comment

by:shirkan
Comment Utility
its (inside,outside) but it depends on what you named your interface, can you post your config (fake the public ip)
0
 
LVL 5

Expert Comment

by:shirkan
Comment Utility
oh and of course, if the ?CAM is in your LAN, you cannot use the Public IP from inside your network to test that
also make sure it has a default gateway to the ASA interface IP , the inside one
0
 

Author Comment

by:kaosmadness
Comment Utility
: Saved
: Written by enable_15 at 13:31:10.210 UTC Fri Sep 17 2010
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X0tU6CWeV4K5qK2y encrypted
passwd 8/q3sC7zeAVvJokJ encrypted
hostname cisco-pix
domain-name sheraton.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq 1433
access-list 100 permit tcp any any eq 1434
access-list 100 permit udp any any eq 1434
access-list 100 permit udp any any eq 1433
access-list any permit tcp any any eq 1433
access-list any permit udp any any eq 1434
access-list 300 permit ip any any
access-list inbound permit tcp any any eq 82
access-list inbound permit tcp any any eq 15962
access-list inbound permit tcp any any eq 9000
pager lines 20
logging on    
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 12.68.X.X 255.255.255.240
ip address inside 10.63.104.11 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.63.104.253 255.255.255.255 inside
pdm location 10.63.104.0 255.255.255.0 inside
pdm location 10.63.104.227 255.255.255.255 inside
pdm location 12.x.X.X 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 82 10.63.104.148 82 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 15962 10.63.104.148 15962 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9000 10.63.104.148 9000 netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group 300 in interface inside
route outside 0.0.0.0 0.0.0.0 12.68.113.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.63.104.253 255.255.255.255 inside
http 10.63.104.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 10.63.104.253 255.255.255.255 inside
ssh 10.63.104.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username XXXX password EUhbZXKWigcQCm0m encrypted privilege 15
terminal width 80
Cryptochecksum:7576007370f717fa6d5970111f5595a8
0
 
LVL 5

Expert Comment

by:shirkan
Comment Utility
Ok, your config is ok, seems like the problem is somewhere else
is the DVR's gateway set to 10.63.104.11 ?
and if you access it from inside your network, do you do that also with port 82?
0
 
LVL 5

Expert Comment

by:shirkan
Comment Utility
also add the following to the access-list lines

access-list inbound permit tcp any any eq 82 log 4
access-list inbound permit tcp any any eq 15962 log 4
access-list inbound permit tcp any any eq 9000 log 4

no you will see in your logg if you access it from the outside cause it will log it.
But remember, you CANNOT test this from INSIDE your LAN
you have to be on a different connection to access that DVR from the internet
0
 
LVL 5

Expert Comment

by:shirkan
Comment Utility
if there is supposed to be a web application manager coming up, then it does work, i just tested it
0
 

Expert Comment

by:Kalmeradmin
Comment Utility
Yea it looks like it is working.
0
 
LVL 5

Expert Comment

by:shirkan
Comment Utility
pshhh , good, at least we are done :) right?
0
 

Author Comment

by:kaosmadness
Comment Utility
Yes it is thank you both!!!!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This video teaches viewers how to process images for a time-lapse video. Programs required: Adobe Lightroom, Adobe After Effects, Video Editing Program. In Adobe Lightroom: Import sequence image files into Adobe Lightroom: Develop settings of an I…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now