Access list DVR System

Unanswered Question
Apr 7th, 2009

Cisco Pix 515e 7.22 Transparent mode- When trying to connect to view offsite surveillance camera server, I am able to get a login prompt but a "connection failed" when trying to connect. I have bypassed the pix and it works fine so I have confirmed it's the Pix. To my understanding, this kind of traffic should not be blocked by default. Connecting to the surveillance system works fine from outside this network. Any ideas??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
clausonna Tue, 04/07/2009 - 10:56

Sounds like its an inspection (or in your case a FIXUP) problem. The PIX needs to inspect the outgoing traffic in order to permit the return traffic, but you haven't explicitly told the PIX to watch for that kind of traffic.

Sorry, off the top of my head I'm not sure which one, but hopefully this points you in the right direction. Find out what codec the video system is using, maybe it H.323 or H.239 (?)

jimbasile Wed, 04/08/2009 - 07:31

Thanks for the reply. Would FIXUP apply even though the device is in transparent mode where an upstream router is taking care of the NATing? The dvr claims to be using H.264 and they require ports 80 and 2000 for access the the web interface. I didnt think I needed to allow the codec since it is just a webpage with the camera display I am trying to view.

Thanks in advance for your input.

clausonna Wed, 04/08/2009 - 09:14

Ok so with those details I (and another engineer here that I showed your post to) don't think that FIXUP is your issue anymore. Unfortunately we're not sure what it is :-(

If the upstream router is NAT'ing properly, and it works without the L2 PIX, then it sounds like something else is going on. I'd suggest doing a WireShark packet capture on your test machine while also doing a packet capture on the PIX. Also take a close look at the logs on the PIX - my guess is some part of the return traffic is getting denied. How about doing a "permit IP any any" on the PIX out to the remote camera webpage? e.g. take ACLs out of the picture. That way you can be sure it really isn't a FIXUP issue and see where the problem lies.

Sorry for not being more helpful. This might be an issue for TAC.

jimbasile Wed, 04/08/2009 - 09:34

Again, I appreciate your help. The NAT'ing is working correctly because I can bypass the PIX and it works fine.I have already tried "permit IP any any" on the outside interface incoming with the same results. I will take your good advice and wireshark it and try to filter the logs to catch the problem.

Thanks for the help!


cwiuser01 Tue, 12/08/2009 - 19:42

Were you ever able to figure out the issue with this problem.  I have a similiar issue with a ASA and not a PIX.  I have tried the any any Permit all ip with no luck.



This Discussion