firewall issue

Have a Cisco ASA and trying to setup access to in house DVR.  DVR has web viewing software running on port 12088, works fine internally.  Setup NAT from outside interface tcp port 12088 to DVR inside address tcp port 12088 and went to Access Rules and added under outside coming in, permission on outside interface on tcp port 12088.  Still does not work from outside when using http://{outside IP}:12088

What am I missing?
lkingpinl22Asked:
Who is Participating?
 
kellemannConnect With a Mentor Commented:
According to the packet-tracer the firewall isn't blocking the traffic, so I think you are looking in the wrong place. It might be something as simple as a missing default gateway. Please check the DVR's ip configuration and see if the ASA (or whatever your default gateway is) is correctly entered as a gateway.
0
 
John MeggersNetwork ArchitectCommented:
Maybe the source port isn't really 12088, which would be typical.  Source ports are usually ephemeral ports, aimed at a particular destination port, although that's not always true.  Try allowing any source port to destination port 12088.
0
 
lkingpinl22Author Commented:
tried that, no luck.  below are snips of lines in NAT Rules and Access Rules.

I'm trying from outside using http://outsideip:12088/

But nothing....
asa1.JPG
asa2.JPG
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
lruiz52Commented:
is it a RASPlus DVR? if so try this

Static (inside,outside)tcp "outside ip address" 12088 "dvr inside ip address" 12088 netmask 255.255.255.255
0
 
lkingpinl22Author Commented:
It is a Matrix and uses RASplus for administration.  I input from CLI what you wrote and got this:

Result of the command: "Static (inside,outside)tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.255.255.255"

Static (inside,outside)tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.25                       ^5.255.255

ERROR: % Invalid input detected at '^' marker.
0
 
lruiz52Commented:
what ASA version are your running?
did you enter all one line?

Static (inside,outside)tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.255.255.255
0
 
lkingpinl22Author Commented:
I entered all one line.  This time I noticed there wasnt a space between the ) and tcp.  So added the space and tried again and got this:

Result of the command: "Static (inside,outside) tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.255.255.255"

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address


0
 
lkingpinl22Author Commented:
I'm on ASA Version 8.2
0
 
lkingpinl22Author Commented:
Ok modified and got a successful message this time, but still no access from outside using http://outsideip:12088

Static (inside,outside) tcp interface 12088 192.168.15.27 12088 netmask 255.255.255.255

0
 
lruiz52Commented:
the below should work. also if you post a sanitized version of your config I can better assist.

Static (inside,outside) tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.255.255.255
access-list ouside_access_in extended permit tcp any host 70.88.121.21 eq 12088

you may allso need to Allow ports 8015, 8016, 8115, and 8116 to forward to the static IP address of the DVR for the Remote View, Watch, Search, and Audio

0
 
lkingpinl22Author Commented:
Result of the command: "Static (inside,outside) tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.255.255.255 access-list ouside_access_in extended permit tcp any host 70.88.121.21 eq 12088"

Static (inside,outside) tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.2
55.255.255 access-list ouside_access_in extended permit tcp any host 70.88.121.2           ^1 eq 12088

ERROR: % Invalid Hostname
0
 
lruiz52Commented:
enter them one line at a time.

static (inside,outside) tcp 70.88.121.21 12088 192.168.15.27 12088 netmask 255.255.255.255

access-list ouside_access_in extended permit tcp any host 70.88.121.21 eq 12088
0
 
lkingpinl22Author Commented:
config attached
Result of the command: "show run"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
name 192.168.15.2 Termsvr description Terminal Server
name 192.168.15.3 FTPSvr description FTP Server
name 192.168.15.27 DVR
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.200 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.121.21 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service Passive-FTP tcp
 port-object range 15000 15025
 port-object eq ftp
 port-object eq ftp-data
object-group service Spark tcp
 port-object range 5222 5222
object-group service FTP-Svr tcp
 group-object Passive-FTP
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DVR tcp
 port-object eq 12088
 port-object eq 8016
access-list inside_nat0_outbound extended permit ip any 192.168.16.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.192 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any any object-group Passive-FTP 
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any xx.xx.121.20 255.255.255.252 eq 3389 
access-list outside_access_in remark FTP Server
access-list outside_access_in extended permit tcp any xx.xx.121.20 255.255.255.252 object-group Passive-FTP 
access-list outside_access_in extended permit tcp any xx.xx.121.20 255.255.255.252 object-group Spark 
access-list outside_access_in extended permit tcp any host DVR eq 12088 
access-list SPLIT_LIST extended permit ip 192.168.16.0 255.255.255.0 any 
access-list Maps_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemotePool 192.168.16.10-192.168.16.50 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 Termsvr 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp FTPSvr ftp netmask 255.255.255.255 
static (inside,outside) tcp interface 5222 FTPSvr 5222 netmask 255.255.255.255 
static (inside,outside) tcp interface 12088 DVR 12088 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.121.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 split-tunnel-network-list value SPLIT_LIST
group-policy PixGroup internal
group-policy PixGroup attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
group-policy Maps internal
group-policy Maps attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Maps_splitTunnelAcl
username xxxxxxxx password xxxxxxxxxx encrypted privilege 0
username xxxxxxxx attributes
 vpn-group-policy PixGroup
username xxxxxxx password xxxxxxxxxxxx encrypted privilege 0
username xxxxxxx attributes
 vpn-group-policy PixGroup
username xxxxxxx password xxxxxxxxxxx encrypted privilege 0
username xxxxxxx attributes
 vpn-group-policy PixGroup
username xxxxxxx password xxxxxxxxxxxxxxxx encrypted privilege 0
username xxxxxxx attributes
 vpn-group-policy PixGroup
username xxxxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxxxx attributes
 vpn-group-policy PixGroup
username xxxxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxxxx attributes
 vpn-group-policy PixGroup
username xxxxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxxxx attributes
 address-pool RemotePool
 default-group-policy PixGroup
tunnel-group PixGroup ipsec-attributes
 pre-shared-key *****
tunnel-group Maps type remote-access
tunnel-group Maps general-attributes
 address-pool RemotePool
 default-group-policy Maps
tunnel-group Maps ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

: end

Open in new window

0
 
lruiz52Commented:
your nat looks ok just change

access-list outside_access_in extended permit tcp any host DVR eq 12088

to
access-list outside_access_in extended permit tcp any host 70.88.121.21 eq 12088


0
 
lkingpinl22Author Commented:
Made that change, still no luck....
0
 
lruiz52Commented:
try running a trace on the access list and see where it is hanging up.

#packet-tracer input outside tcp 8.8.8.8 4950 70.88.121.21 12088
0
 
lkingpinl22Author Commented:
This is just weird.  here's the result:

Result of the command: "packet-tracer input outside tcp 8.8.8.8 4950 70.88.121.21 12088"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 12088 DVR 12088 netmask 255.255.255.255
  match tcp inside host DVR eq 12088 outside any
    static translation to 70.88.121.21/12088
    translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 70.88.121.21/12088 to DVR/12088 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 12088 DVR 12088 netmask 255.255.255.255
  match tcp inside host DVR eq 12088 outside any
    static translation to 70.88.121.21/12088
    translate_hits = 0, untranslate_hits = 7
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 12088 DVR 12088 netmask 255.255.255.255
  match tcp inside host DVR eq 12088 outside any
    static translation to 70.88.121.21/12088
    translate_hits = 0, untranslate_hits = 7
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11477, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Everything here seems like it should go through.  but if you try http://70.88.121.21:12088, it just fails.  Inside the network, it works perfectly with the 12088 port....I don't get it.
0
 
lruiz52Commented:
How are you testing access in? You have to test with a pc outside your  firewall, like your pc at home.
0
 
lkingpinl22Author Commented:
I am.  Im using LogMeIn to my home pc and it doesn't work.  feel free to try the link yourself.  If it works you should see a webguard login page
0
 
lruiz52Commented:
try adding this one;

access-list outside_access_in extended permit tcp any host 70.88.121.21 255.255.255.255 object-group dvr
0
 
lkingpinl22Author Commented:
Result of the command: "access-list outside_access_in extended permit tcp any host 70.88.121.21 255.255.255.255 object-group dvr"

access-list outside_access_in extended permit tcp any host 70.88.121.21 255.255.                                                                        ^255.255 object-group dvr

ERROR: % Invalid Hostname
0
 
lruiz52Commented:
it shoud all be one line.

access-list outside_access_in extended permit tcp any host 70.88.121.21 255.255.255.255 object-group dvr
0
 
lkingpinl22Author Commented:
I swear ive done everything....i have no clue.....see attached.  I opened
asa3.JPG
asa4.JPG
0
 
lruiz52Commented:
save your config and try reloading.
0
 
lruiz52Commented:
What os is the dvr server running. if firewall is on, try disabling it completely while you test outside access.
0
 
lkingpinl22Author Commented:
nothing works.....im at a loss
0
 
lruiz52Commented:
can you post your current config  again? something is amiss.
0
 
lruiz52Commented:
telnet or ssh to the ASA and type the commands out, and try to access.

access-list outside_access_in extended permit tcp any interface outside eq 12088

static (inside,outside) tcp interface 12088 192.168.15.27 12088 netmask 255.255.255.255

access-group outside_access_in in interface outside
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.