ASA 5510 and web camera access

Unanswered Question
Dec 8th, 2009
User Badges:

I have a ASA 5510 firewall on the outside of my network.  I can view a web camera internally after logging into the camera with no problems.  On the firewall I created a NAT entry to connect a extenal IP to view the web camera from a public IP.  For testing purposes I allowed all IP to connect to the internal address.  I can get to the login screen of the web camera, but it does not log in.  Instead I get an DVROCXex error.  I do not get this same error when accessing from the internal network.


Wireshark shows tcp ports in the 2000 to 3000 in addition to the 80 for the http.


Any thoughts as to what is stopping the connection to the web camera?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
krishnadas.R_2 Mon, 12/14/2009 - 03:40
User Badges:

HI,



We can assume that since you are getting the login prompt, connectivity and NAT is working.

Check if the connection is getting redirected to a diffrent port after you enter the login credentials.

cwiuser01 Mon, 12/14/2009 - 12:41
User Badges:

Thanks for the response.


It was not so much that ports were being redirected but rather the Q-See DVR uses prot 2000 as the default for the video.  Since this is the port that phone traffic uses, then the Firewall was doing something to the packets when they were translated, thus not allowing viewing of the video.


I believe that port 2000 is Cisco-sccp.



Solution is to change the DVR port to something else. All that is then needed to pass thru the firewall is port 80 and port 2001 (which is what I changed the port to).

Kureli Sankar Mon, 12/14/2009 - 15:33
User Badges:
  • Cisco Employee,

You can still keep it at tcp 2000 but, make sure not to inspect skinny for this flow.  If you change it to 2001 then you just need to allow this in the acl (if you have one on the higher security interface).


Is it working? or not?


-KS

cwiuser01 Mon, 12/14/2009 - 20:20
User Badges:

We tried it with the skinny inspect off, but that still did not allow the

video to come thru.  The only thing that worked was changing the port of the DVR, which is pretty simple to do.  So we just changed port to 2001 and then open it up in the firewall and closed 2000.\



It works just fine after that.  Case closed.


Thanks again.

Actions

This Discussion

Related Content