• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 890
  • Last Modified:

Unable to access an internal IP address (DVR) from the outside (web )

I have just installed a new Video Digital Recorder (DVR), for my client, connecting to 8 internal camera's. This new DVR supports access via an iphone app CCTVSP - Lite, outside the internal network.

I have an ASA 5505 Cisco firewall.

I added the following CLI configuration:

access-list DVR extended permit tcp any host 192.100.100.225 eq www
access-list DVR extended permit tcp any host 192.100.100.225 eq 37777
access-group DVR in interface outside

I attempt to see if the port is accessible via www.canyouseeme.org and receive the following error message:

Error: I could not see your service on port (37777)

I  performed a 'logging Monitor 7' to debug and discovered that the TCP request for 37777 was discarded.

I also attempted to access the ASA 5505 via the IE/Chrome web browser. The application just hangs after I input login info. I tried it on an XP/Win 7 pro PC.

What am I doing wrong?

How  can I best troubleshoot this situation?
0
GeeMoon
Asked:
GeeMoon
3 Solutions
 
nickoargCommented:
is 192.100.100.225 your internal or external address?
Also, did you set up the NAT to the internal address?
0
 
GeeMoonAuthor Commented:
The 192.100.100.225 is and internal address to my  DVR.

I have the following NAT statements:

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

I have VPN access setup using the 'inside_nat0_outbound'

I haven't done this in a while. Do I need to setup another NAT statement?
0
 
Jan SpringerCommented:
You need to do port forwarding for those two ports via a [static] nat statement.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Pete LongConsultantCommented:
Yep, add the following

static (inside,outside) tcp interface 37777 192.100.100.225 37777 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.100.100.225 www netmask 255.255.255.255


Pete
0
 
GeeMoonAuthor Commented:
Thank you Pete for the helping hand, unfortunately it did not work.

www.canyouseeme.org still reports the same error:

Error: I could not see your service on port (37777)

Is there something else I can try? Again I am using version 8.2 (5)
0
 
Pete LongConsultantCommented:
just  static an an ACL that's all you should need?

See my comments her e(option 2)

Cisco PIX / ASA Port Forwarding


Pete
0
 
GeeMoonAuthor Commented:
I thank you for your speedy response.

I apologize for my lengthy delay. As a computer/network consultant, I am being pulled in a multitude of directions, from different clients. I will review the recent info, and apply it to my ASA 5505 configuration ASAP.

Thank you
0
 
GeeMoonAuthor Commented:
I followed your suggestions.  I still have no access.

I extracted out some of the config that I believe is applicable to our discussion, for your review. Perhaps I have some type of conflict I am not seeing.

access-list inside_nat0_outbound extended permit ip any 192.100.100.176 255.255.255.240
access-list DVR extended permit tcp any host 192.100.100.225 eq www
access-list DVR extended permit tcp any host 192.100.100.225 eq 37777

ip local pool VPNPool 192.100.100.180-192.100.100.185 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 192.100.100.225 www netmask 255.255.255.255
static (inside,outside) tcp interface 37777 192.100.100.225 37777 netmask 255.255.255.255
access-group DVR in interface outside

I did not write to memory, any of the recent config changes. It just resides in running memory. I assume I don't have to save these changes in-order to get them to actually work - correct ?
0
 
GeeMoonAuthor Commented:
The answer to the riddle was to change the destination host, within my access-list, to point to the outside of my router.

It turns out, the particular version ASA 8.2(5), that  I am currently using, requires the outside static IP of the firewall and not the actually internal host IP, to be listed as a destination host in the access-list.
0
 
GeeMoonAuthor Commented:
Thank you for your assistance. It diffidently helped me along. Unfortunately, I still was unable to connect into my internal network, from the outside. Regardless of all my research, I ultimately had to purchase a support package from CISCO, in order to receive full tech support on my forwarding issue.  This is one of those times were the configuration was correct, just not for  the particular version I was working with. It was like looking for a needle in a haystack.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now