Please help me get safely through my 501 from the outside

Answered Question
Nov 21st, 2007
User Badges:

Four years ago I purchased a 501 to protect my home network. I bought the Cisco because of their reputation and that's what my employer uses - not because I knew how to program them or how to really use them. It's been silently working fine since then but now I need to change the configuration and I would really appreciate some help. Please keep in mind I know nothing about this stuff so don't assume I will be able to read between the lines to understand what you are really saying. If I was a *lot* younger I might have tried to take the time to learn PIX but it is just so obscure and convoluted to my non-networkingthings mind.


Anyhow, here is what I need to do. Up till now I have just been keeping the bad guys out with the 501. Now I need to let myself in from the outside. I have an AXIS IP camera on my network that I want to access from the internet so I need to change the 501's configuration to allow access to it in as narrow a way as possible so as not to make me more vunerable to the bad guys. I should preface this by mentioning that this is the second time I have asked for help here. The first help I received seemed promising but I could get things to work and the person who was helping appears to have moved on. I think I understood what he directed me to try but as I mentioned earlier I probably didn't understand some basic thing that should have.


I have included the PIX configuration I am currently running at the end of my explanation of what I need to do. The camera has an IP address of 192.168.1.11. It is connected by way of an wireless access point through an ethernet hub connected to the 501. I get to the camera by bringing up a browser window and typing in the camera's address and pressing enter. The camera then puts up an internally generated web page with a password request dialog box. After I enter my password the camera thens displays a web page with a window containing a "streaming video" of what it sees in the form of repeating JPG images which for all practical purposes appear to be a normal video image.




The 501 is directly connected to a Motorola cable modem which pretty much keeps the same assigned public address - say for the sake of illustration it's 123.123.123.001. I need (presumably) to be able to type 123.123.123.001 into a browser from the internet and see what video the camera's internal web site is putting up.


I would greatly appreciate it if someone could tell me how to configure the 501 to make this happen.


CURRENT CONFIGURATION ATTACHED





Correct Answer by JORGE RODRIGUEZ about 9 years 4 months ago

Jim, my appologies, missed keyword " host "



access-list 100 permit tcp any host 123.123.123.001 eq 80


let me know how it works out.


Rgds

Jorge


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Wed, 11/21/2007 - 18:01
User Badges:
  • Green, 3000 points or more

Create a static NAT , then add access list statement bellow in your acl 100 and apply it to outside interface, this will allow inbound access on port 80.



static (inside,outside) tcp 123.123.123.001 80 192.168.1.11 80 netmask 255.255.255.255


access-list 100 permit tcp any 123.123.123.001 eq 80

access-group 100 in interface outside



Rate any helpful post


HTH

Jorge

cisco501pix Thu, 11/22/2007 - 08:33
User Badges:

Well, this seems straightforward enough but for some reason I am getting the following error when trying to enter the access-list command (exes used instead of actual address:



Result of firewall command: "access-list 100 permit tcp any xxx.xxx.xxx.xxx eq 80"

ERROR: invalid IP address eq


It took the ACCESS-GROUP and STATIC commands OK...any idea what's wrong. I've attached the running config as it stands now


many thanks for the help




Correct Answer
JORGE RODRIGUEZ Thu, 11/22/2007 - 08:56
User Badges:
  • Green, 3000 points or more

Jim, my appologies, missed keyword " host "



access-list 100 permit tcp any host 123.123.123.001 eq 80


let me know how it works out.


Rgds

Jorge


JORGE RODRIGUEZ Fri, 11/23/2007 - 07:10
User Badges:
  • Green, 3000 points or more

Jim, glad is working and thank you for using the rating system.


Rgds

Jorge

davidbornack Fri, 11/23/2007 - 09:49
User Badges:

Just one more thing to add.. if you're coming into your network from the same IP everytime, then you might change the access-list to specify the IP you're coming from. But of course, if you want to access the camera from anywhere, the above configuration should work great..

cisco501pix Fri, 11/23/2007 - 10:01
User Badges:

I will be coming in from different IP's at different times but I would appreciate it if you could show me how to do that for a learning exercise. About the only way I can learn anything is to do it and since I had to make this change I've learned a bit more...the problem with this stuff is you don't want to be dinking around with your firewall just to learn something - might mess something up.


thanks

JORGE RODRIGUEZ Fri, 11/23/2007 - 11:26
User Badges:
  • Green, 3000 points or more

Hi Jim, if you want to be more granular on acl as David indicated you can do statement bellow for future reference or keep in notes.. the problem is you may never know where you will be comming from as ISP like internet cafe, friends house, or even in airport internet access etc.. I would suggest though to look into your camera software to find out if it can do SSL or https port 443 for encripted username/password when login in.


Say you are comming from outside internet ip as 10.10.10.2.


access-list 100 permit tcp host 10.10.10.2 host 123.123.123.001 eq 80 log


access-group 100 in interface outside


HTH

Jorge


Pls rate any helpful posts !

Actions

This Discussion