ASA Bridge Group with simple NAT issue (v9.8)

I am not fully diverse in Cisco ver 9.8 using Nat with Bridge groups. I have 1 DVR on the inside. I want to NAT port 80 and 8000 from the outside to the DVR ( using an external ip, lets say I cannot even get port 80 to map to the inside DVR.
I added extra access-statements in my troubleshooting, unsure if it was inside ip or outside ip, so I have both for now.
What am I missing?

interface GigabitEthernet1/1
 description Comcast
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
interface Management1/1
 no nameif
 no security-level
 no ip address
interface BVI1
 nameif inside
 security-level 100
 ip address
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
object network obj_any2
object network obj_any3
object network obj_any4
object network obj_any5
object network obj_any6
object network obj_any7
object network DVR
access-list outside_access_in extended deny ip any any log
access-list outside_access_in extended permit tcp any host eq www
access-list outside_access_in extended permit tcp any host eq www
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit icmp any host
access-list outside_access_in extended permit icmp any host
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network DVR
 nat (inside_1,outside) static
access-group outside_access_in in interface outside
route outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http inside_2
http inside_3
http inside_4
http inside_5
http inside_6
http inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh outside
ssh inside_2
ssh inside_3
ssh inside_5
ssh inside_6
ssh inside_7
ssh timeout 20
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
I haven't ever configured this, but I'd think you'd nat BVI1, not the member interfaces.
Pete LongTechnical ConsultantCommented:
I really don't like bridge groups! See my comments below
Cisco ASA 5506-X: Bridged BVI Interface

Jesus! let's just get rid of this a second

no access-list outside_access_in extended deny ip any any log

And get rid of these, we are using modern NAT

no access-list outside_access_in extended permit tcp any host eq www
no access-list outside_access_in extended permit icmp any host

You look like you have forgotten this

access-list outside_access_in extended permit tcp any host eq 8000

THEN MAKE SURE your DVR is plugged into Ethernet 1/2 because of this.....

object network DVR
 nat (inside_1,outside) static

You should be good to go, or simply follow my fist link and set it up like a proper firewall!
If you want to put your global deny back in then please do so, but theres no need.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BKennedy2008Author Commented:
You are absolutely right on the money, I did leave the bridge group in and had it plugged into the inside_1 interface. However, I am not going to use bridge groups on my other offices, now that I know. Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.