Solved

Cisco ASA 5505 and security cam setup

Posted on 2011-03-15
10
992 Views
Last Modified: 2012-05-11

Our security cam interface is on 192.168.119.230. The Macs use an application called ACS/Digital Watchdog to view the cam images. We don't want web-based viewing, just the app on ports 9010 and 9011.

We have a Cisco VPN which allows access to all services on the LAN EXCEPT the security cams. For reasons unknown to me, we just can't view the cams over the VPN.

The VPN assigned subnet is 192.168.50.0. Maybe the security cam is not allowing the NAT? With other networks I've worked on, this has not been an issue. Why now?

We're supposed to open ports 9010 and 9011 for the cam software. We could open up those ports to the world, but we don't want non-VPN users to access the cams.

So I set up a NAT rule and an Access Rule allowing traffic from 192.168.50.0 to 192.168.119.230, over those ports. The result: traffic to the Internet became unavailable. ??

How can we allow VPN users to see the cams without opening those ports to the world? Any thoughts?

Thanks!
0
Comment
Question by:d4nnyo
  • 4
  • 4
  • 2
10 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 35144398
Is it possible that your security cam DVR device is not confiigured with a default gateway?  It's default gateway needs to be the inside IP of the ASA most likely.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35149536
Gavving is correct,  check that gateway.   If possible, try pinging the ASA from the DVR (most dvrs give you telnet access).  

Can the cameras be accessed from inside the LAN on these ports?  

Also, during the attempt that is failing, check the ASA logs for any dropped packets.   SHOW LOGGING at the CLI or look at the ASDM syslog screen to check for any errors.    If you see one, post here.  

Otherwise, post a sanitized config from the asa.  
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 35150982
Part of the issue is that I don't have access to the DVR. There's some tension between me (the sysadmin) and the security company. They have not been forthcoming about responding to my requests for password changes, etc., and they've insisted that I open the cams to the outside world, leaving nothing but a 6-digit password on a browser between anyone on the Internet and live images of our business. (OK, fine, the pub IP is not easy to find, but anyone who stumbles on it and runs a port scan will find 9010 and 9011 open, and extrapolate from there.)

I think the security co. wants to be able to view the activities of the business themselves. I'm trying to use the VPN setup to thwart them and everyone else. Anyway, it's a much more secure setup for us.

Back to the issue: Yes, the cams can be accessed from inside the LAN at 192.168.119.230, over port 9010. Does that shed light on the source of the problem?
0
 
LVL 9

Expert Comment

by:gavving
ID: 35152487
The configuration of the ASA is probably going to be needed to proof that the ACLs and what-not are setup correctly.

The only other thing I can think of that might be the issue is a network configuration issue on the DVR.  Say for example it had a subnetmask of 255.255.0.0 (the default for the 192.168.x.x IP blocks), and not 255.255.255.0.
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 35181482
Below is the ASA config.

Bear in mind that the VPN is working fine for all other services on the 192.168.119.0 network. Also, in the past, similar ASA configs have allowed security cam access.

Here are successful pings to the DVR IP from the ASA:

Result of the command: "ping 192.168.119.230"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.119.230, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


I've attempted "show logging" but nothing is revealed when I try to reach the DVR. Also, my VPN session becomes unstable when I try to use ASDM's monitoring function. The VPN session gets dumped repeatedly. I'm able to get back in, but it is not stable. Never seen this issue before.




: Saved
:
ASA Version 8.2(1)
!
hostname
enable password encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.119.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address  255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service SecCam tcp
 port-object eq 9010
access-list no-nat extended permit ip 192.168.119.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.119.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remotevpnpool 192.168.50.100-192.168.50.150 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0  1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.119.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
!
dhcpd address 192.168.119.50-192.168.119.100 inside
dhcpd dns  interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
username password encrypted
username password encrypted privilege 15
username password encrypted privilege 15
username password encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool remotevpnpool
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:fa19c5f42356fe8fe93855a04b0f7f52
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 33

Expert Comment

by:MikeKane
ID: 35183486
You say you can access any other host in the subnet over VPN.     So can you run an nmap scan against those other hosts and get the correct results?   What happens when you try to run a nmap scan against the DVR?  

Also, instead of ASDM access, try using the CLI and doing a SHOW LOGGING for the most recent log items.   Might work better than the full GUI
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 35189824
How about changing the VPN pool so that it allocates IPs out of the 192.168.119.0/24 network?

The following changes would be needed:

access-list no-nat extended permit ip 192.168.119.0 255.255.255.0 192.168.119.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.119.0 255.255.255.0 192.168.119.0 255.255.255.0
ip local pool remotevpnpool2 192.168.119.101-192.168.50.130 mask 255.255.255.0
tunnel-group DefaultRAGroup general-attributes
 address-pool remotevpnpool2
0
 
LVL 1

Author Closing Comment

by:d4nnyo
ID: 35217205
Dude, it worked!
0
 
LVL 9

Expert Comment

by:gavving
ID: 35231085
FYI the fact that it worked confirms for me that the Security cam probably does not have it's IP settings configured correctly.  Either missing a default gateway or an incorrect subnet mask.  But either way sometimes you just gotta work with what's there, and this solution can work fine.
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 35231986
I got into the DVR management interface and found that there is no IP setting for SM or GW -- there is simply no entry box for either setting. Just an IP address.

This is a "Digital Watchdog"-branded DVR.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
The following article will describe how to add/edit a dimension style through AutoCAD VBA. AutoCAD VBA has its quirks and when it comes to dimensions and controlling how they look through VBA.  This is where AutoCAD can be vividly confusing. The…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now