Unable to access an internal IP address (DVR) from the outside (web )

I have just installed a new Video Digital Recorder (DVR), for my client, connecting to 8 internal camera's. This new DVR supports access via an iphone app CCTVSP - Lite, outside the internal network.

I have an ASA 5505 Cisco firewall.

I added the following CLI configuration:

access-list DVR extended permit tcp any host 192.100.100.225 eq www
access-list DVR extended permit tcp any host 192.100.100.225 eq 37777
access-group DVR in interface outside

I attempt to see if the port is accessible via www.canyouseeme.org and receive the following error message:

Error: I could not see your service on port (37777)

I  performed a 'logging Monitor 7' to debug and discovered that the TCP request for 37777 was discarded.

I also attempted to access the ASA 5505 via the IE/Chrome web browser. The application just hangs after I input login info. I tried it on an XP/Win 7 pro PC.

What am I doing wrong?

How  can I best troubleshoot this situation?
LVL 1
GeeMoonIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nickoargCommented:
is 192.100.100.225 your internal or external address?
Also, did you set up the NAT to the internal address?
0
GeeMoonIT ConsultantAuthor Commented:
The 192.100.100.225 is and internal address to my  DVR.

I have the following NAT statements:

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

I have VPN access setup using the 'inside_nat0_outbound'

I haven't done this in a while. Do I need to setup another NAT statement?
0
Jan SpringerCommented:
You need to do port forwarding for those two ports via a [static] nat statement.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Pete LongTechnical ConsultantCommented:
Yep, add the following

static (inside,outside) tcp interface 37777 192.100.100.225 37777 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.100.100.225 www netmask 255.255.255.255


Pete
0
GeeMoonIT ConsultantAuthor Commented:
Thank you Pete for the helping hand, unfortunately it did not work.

www.canyouseeme.org still reports the same error:

Error: I could not see your service on port (37777)

Is there something else I can try? Again I am using version 8.2 (5)
0
Pete LongTechnical ConsultantCommented:
just  static an an ACL that's all you should need?

See my comments her e(option 2)

Cisco PIX / ASA Port Forwarding


Pete
0
GeeMoonIT ConsultantAuthor Commented:
I thank you for your speedy response.

I apologize for my lengthy delay. As a computer/network consultant, I am being pulled in a multitude of directions, from different clients. I will review the recent info, and apply it to my ASA 5505 configuration ASAP.

Thank you
0
GeeMoonIT ConsultantAuthor Commented:
I followed your suggestions.  I still have no access.

I extracted out some of the config that I believe is applicable to our discussion, for your review. Perhaps I have some type of conflict I am not seeing.

access-list inside_nat0_outbound extended permit ip any 192.100.100.176 255.255.255.240
access-list DVR extended permit tcp any host 192.100.100.225 eq www
access-list DVR extended permit tcp any host 192.100.100.225 eq 37777

ip local pool VPNPool 192.100.100.180-192.100.100.185 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 192.100.100.225 www netmask 255.255.255.255
static (inside,outside) tcp interface 37777 192.100.100.225 37777 netmask 255.255.255.255
access-group DVR in interface outside

I did not write to memory, any of the recent config changes. It just resides in running memory. I assume I don't have to save these changes in-order to get them to actually work - correct ?
0
GeeMoonIT ConsultantAuthor Commented:
The answer to the riddle was to change the destination host, within my access-list, to point to the outside of my router.

It turns out, the particular version ASA 8.2(5), that  I am currently using, requires the outside static IP of the firewall and not the actually internal host IP, to be listed as a destination host in the access-list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GeeMoonIT ConsultantAuthor Commented:
Thank you for your assistance. It diffidently helped me along. Unfortunately, I still was unable to connect into my internal network, from the outside. Regardless of all my research, I ultimately had to purchase a support package from CISCO, in order to receive full tech support on my forwarding issue.  This is one of those times were the configuration was correct, just not for  the particular version I was working with. It was like looking for a needle in a haystack.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.