d4nnyo
asked on
Cisco ASA 5505 and security cam setup
Our security cam interface is on 192.168.119.230. The Macs use an application called ACS/Digital Watchdog to view the cam images. We don't want web-based viewing, just the app on ports 9010 and 9011.
We have a Cisco VPN which allows access to all services on the LAN EXCEPT the security cams. For reasons unknown to me, we just can't view the cams over the VPN.
The VPN assigned subnet is 192.168.50.0. Maybe the security cam is not allowing the NAT? With other networks I've worked on, this has not been an issue. Why now?
We're supposed to open ports 9010 and 9011 for the cam software. We could open up those ports to the world, but we don't want non-VPN users to access the cams.
So I set up a NAT rule and an Access Rule allowing traffic from 192.168.50.0 to 192.168.119.230, over those ports. The result: traffic to the Internet became unavailable. ??
How can we allow VPN users to see the cams without opening those ports to the world? Any thoughts?
Thanks!
gavving
Is it possible that your security cam DVR device is not confiigured with a default gateway? It's default gateway needs to be the inside IP of the ASA most likely.
Gavving is correct, check that gateway. If possible, try pinging the ASA from the DVR (most dvrs give you telnet access).
Can the cameras be accessed from inside the LAN on these ports?
Also, during the attempt that is failing, check the ASA logs for any dropped packets. SHOW LOGGING at the CLI or look at the ASDM syslog screen to check for any errors. If you see one, post here.
Otherwise, post a sanitized config from the asa.
Can the cameras be accessed from inside the LAN on these ports?
Also, during the attempt that is failing, check the ASA logs for any dropped packets. SHOW LOGGING at the CLI or look at the ASDM syslog screen to check for any errors. If you see one, post here.
Otherwise, post a sanitized config from the asa.
ASKER
Part of the issue is that I don't have access to the DVR. There's some tension between me (the sysadmin) and the security company. They have not been forthcoming about responding to my requests for password changes, etc., and they've insisted that I open the cams to the outside world, leaving nothing but a 6-digit password on a browser between anyone on the Internet and live images of our business. (OK, fine, the pub IP is not easy to find, but anyone who stumbles on it and runs a port scan will find 9010 and 9011 open, and extrapolate from there.)
I think the security co. wants to be able to view the activities of the business themselves. I'm trying to use the VPN setup to thwart them and everyone else. Anyway, it's a much more secure setup for us.
Back to the issue: Yes, the cams can be accessed from inside the LAN at 192.168.119.230, over port 9010. Does that shed light on the source of the problem?
I think the security co. wants to be able to view the activities of the business themselves. I'm trying to use the VPN setup to thwart them and everyone else. Anyway, it's a much more secure setup for us.
Back to the issue: Yes, the cams can be accessed from inside the LAN at 192.168.119.230, over port 9010. Does that shed light on the source of the problem?
The configuration of the ASA is probably going to be needed to proof that the ACLs and what-not are setup correctly.
The only other thing I can think of that might be the issue is a network configuration issue on the DVR. Say for example it had a subnetmask of 255.255.0.0 (the default for the 192.168.x.x IP blocks), and not 255.255.255.0.
The only other thing I can think of that might be the issue is a network configuration issue on the DVR. Say for example it had a subnetmask of 255.255.0.0 (the default for the 192.168.x.x IP blocks), and not 255.255.255.0.
ASKER
Below is the ASA config.
Bear in mind that the VPN is working fine for all other services on the 192.168.119.0 network. Also, in the past, similar ASA configs have allowed security cam access.
Here are successful pings to the DVR IP from the ASA:
Result of the command: "ping 192.168.119.230"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.119.230, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
I've attempted "show logging" but nothing is revealed when I try to reach the DVR. Also, my VPN session becomes unstable when I try to use ASDM's monitoring function. The VPN session gets dumped repeatedly. I'm able to get back in, but it is not stable. Never seen this issue before.
: Saved
:
ASA Version 8.2(1)
!
hostname
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.119.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service SecCam tcp
port-object eq 9010
access-list no-nat extended permit ip 192.168.119.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.119.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remotevpnpool 192.168.50.100-192.168.50.
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.119.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
!
dhcpd address 192.168.119.50-192.168.119
dhcpd dns interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
username password encrypted
username password encrypted privilege 15
username password encrypted privilege 15
username password encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool remotevpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:fa19c5f4235
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
Bear in mind that the VPN is working fine for all other services on the 192.168.119.0 network. Also, in the past, similar ASA configs have allowed security cam access.
Here are successful pings to the DVR IP from the ASA:
Result of the command: "ping 192.168.119.230"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.119.230, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
I've attempted "show logging" but nothing is revealed when I try to reach the DVR. Also, my VPN session becomes unstable when I try to use ASDM's monitoring function. The VPN session gets dumped repeatedly. I'm able to get back in, but it is not stable. Never seen this issue before.
: Saved
:
ASA Version 8.2(1)
!
hostname
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.119.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service SecCam tcp
port-object eq 9010
access-list no-nat extended permit ip 192.168.119.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.119.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remotevpnpool 192.168.50.100-192.168.50.
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.119.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
!
dhcpd address 192.168.119.50-192.168.119
dhcpd dns interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
username password encrypted
username password encrypted privilege 15
username password encrypted privilege 15
username password encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool remotevpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:fa19c5f4235
: end
asdm image disk0:/asdm-621.bin
no asdm history enable
You say you can access any other host in the subnet over VPN. So can you run an nmap scan against those other hosts and get the correct results? What happens when you try to run a nmap scan against the DVR?
Also, instead of ASDM access, try using the CLI and doing a SHOW LOGGING for the most recent log items. Might work better than the full GUI
Also, instead of ASDM access, try using the CLI and doing a SHOW LOGGING for the most recent log items. Might work better than the full GUI
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dude, it worked!
FYI the fact that it worked confirms for me that the Security cam probably does not have it's IP settings configured correctly. Either missing a default gateway or an incorrect subnet mask. But either way sometimes you just gotta work with what's there, and this solution can work fine.
ASKER
I got into the DVR management interface and found that there is no IP setting for SM or GW -- there is simply no entry box for either setting. Just an IP address.
This is a "Digital Watchdog"-branded DVR.
This is a "Digital Watchdog"-branded DVR.