Cisco ASA 5505 and security cam setup

Our security cam interface is on The Macs use an application called ACS/Digital Watchdog to view the cam images. We don't want web-based viewing, just the app on ports 9010 and 9011.

We have a Cisco VPN which allows access to all services on the LAN EXCEPT the security cams. For reasons unknown to me, we just can't view the cams over the VPN.

The VPN assigned subnet is Maybe the security cam is not allowing the NAT? With other networks I've worked on, this has not been an issue. Why now?

We're supposed to open ports 9010 and 9011 for the cam software. We could open up those ports to the world, but we don't want non-VPN users to access the cams.

So I set up a NAT rule and an Access Rule allowing traffic from to, over those ports. The result: traffic to the Internet became unavailable. ??

How can we allow VPN users to see the cams without opening those ports to the world? Any thoughts?

Who is Participating?

Improve company productivity with a Business Account.Sign Up

gavvingConnect With a Mentor Commented:
How about changing the VPN pool so that it allocates IPs out of the network?

The following changes would be needed:

access-list no-nat extended permit ip
access-list split-tunnel extended permit ip
ip local pool remotevpnpool2 mask
tunnel-group DefaultRAGroup general-attributes
 address-pool remotevpnpool2
Is it possible that your security cam DVR device is not confiigured with a default gateway?  It's default gateway needs to be the inside IP of the ASA most likely.
Gavving is correct,  check that gateway.   If possible, try pinging the ASA from the DVR (most dvrs give you telnet access).  

Can the cameras be accessed from inside the LAN on these ports?  

Also, during the attempt that is failing, check the ASA logs for any dropped packets.   SHOW LOGGING at the CLI or look at the ASDM syslog screen to check for any errors.    If you see one, post here.  

Otherwise, post a sanitized config from the asa.  
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

d4nnyoAuthor Commented:
Part of the issue is that I don't have access to the DVR. There's some tension between me (the sysadmin) and the security company. They have not been forthcoming about responding to my requests for password changes, etc., and they've insisted that I open the cams to the outside world, leaving nothing but a 6-digit password on a browser between anyone on the Internet and live images of our business. (OK, fine, the pub IP is not easy to find, but anyone who stumbles on it and runs a port scan will find 9010 and 9011 open, and extrapolate from there.)

I think the security co. wants to be able to view the activities of the business themselves. I'm trying to use the VPN setup to thwart them and everyone else. Anyway, it's a much more secure setup for us.

Back to the issue: Yes, the cams can be accessed from inside the LAN at, over port 9010. Does that shed light on the source of the problem?
The configuration of the ASA is probably going to be needed to proof that the ACLs and what-not are setup correctly.

The only other thing I can think of that might be the issue is a network configuration issue on the DVR.  Say for example it had a subnetmask of (the default for the 192.168.x.x IP blocks), and not
d4nnyoAuthor Commented:
Below is the ASA config.

Bear in mind that the VPN is working fine for all other services on the network. Also, in the past, similar ASA configs have allowed security cam access.

Here are successful pings to the DVR IP from the ASA:

Result of the command: "ping"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I've attempted "show logging" but nothing is revealed when I try to reach the DVR. Also, my VPN session becomes unstable when I try to use ASDM's monitoring function. The VPN session gets dumped repeatedly. I'm able to get back in, but it is not stable. Never seen this issue before.

: Saved
ASA Version 8.2(1)
enable password encrypted
passwd  encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service SecCam tcp
 port-object eq 9010
access-list no-nat extended permit ip
access-list split-tunnel extended permit ip
access-list inside_access_in extended permit ip any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remotevpnpool mask
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1
access-group inside_access_in in interface inside control-plane
route outside  1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd dns  interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
username password encrypted
username password encrypted privilege 15
username password encrypted privilege 15
username password encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool remotevpnpool
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
You say you can access any other host in the subnet over VPN.     So can you run an nmap scan against those other hosts and get the correct results?   What happens when you try to run a nmap scan against the DVR?  

Also, instead of ASDM access, try using the CLI and doing a SHOW LOGGING for the most recent log items.   Might work better than the full GUI
d4nnyoAuthor Commented:
Dude, it worked!
FYI the fact that it worked confirms for me that the Security cam probably does not have it's IP settings configured correctly.  Either missing a default gateway or an incorrect subnet mask.  But either way sometimes you just gotta work with what's there, and this solution can work fine.
d4nnyoAuthor Commented:
I got into the DVR management interface and found that there is no IP setting for SM or GW -- there is simply no entry box for either setting. Just an IP address.

This is a "Digital Watchdog"-branded DVR.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.