Am I doing static PAT correctly?

Answered Question
Jul 28th, 2010

I have a series of security cameras I have been asked to nat, but with limited public IP's I am going to have to use nat.

requirements are camera 1 using tcp inbound port 1024, camera 2 using port 1025, etc  

Do I just need these static commands to make this work:

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1025 netmask 255.255.255.255

etc

there are about 10 cameras total

fyi, I have nat configured and working for other items such as webservers, etc.

thanks in advance

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.

Regards,

NT

Correct Answer by Jon Marshall about 6 years 4 months ago

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.

Jon

Correct Answer by ropakalns about 6 years 4 months ago

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
ropakalns Wed, 07/28/2010 - 05:28

Hi!

Seems to me that you need

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1024 netmask 255.255.255.255

But be sure that inside traffic goes out through the same outside interface IP

Roberts

gmtimmons Wed, 07/28/2010 - 05:33

sorry that was a typo, should have been

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1025 netmask 255.255.255.255

Correct Answer
ropakalns Wed, 07/28/2010 - 05:38

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

Jon Marshall Wed, 07/28/2010 - 05:56

ropakalns wrote:

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

Roberts

There is a big difference between static (inside,outside) and static (outside,inside) eg.

static (inside,outside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means

1) traffic coming from the inside host with a source IP of 172.16.5.1 will be translated to a source IP of 192.168.5.1 as it leaves the outside

2) traffic coming from the outside with a destination IP of 192.168.5.1 will be translated to a desination IP of 172.16.5.1 as it leaves the inside

static(outside,inside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means

1) traffic from the inside with a destination IP of 192.168.5.1 will be translated to a destination IP of 172.16.5.1 as it leaves the outside

2) traffic coming from the outside with a src IP of 172.16.5.1 will be translated to a src IP of 192.168.5.1 as it leaves the inside

it's basically to do with whether you translate the source or destination IP and the direction.

Jon

gmtimmons Wed, 07/28/2010 - 05:43

also, do I need to make an access list entry for each one as well and can I use the same access list as I use for my other nats

(acl for other nats ex)  access-list outside_in extended permit tcp any host mailserver eq lotusnotes

access-list outside_in extended permit tcp any host outside_ip eq 1024

access-list outside_in extended permit tcp any host outside_ip eq 1025

Correct Answer
Jon Marshall Wed, 07/28/2010 - 05:57

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.

Jon

gmtimmons Wed, 07/28/2010 - 06:12

can do an access list for a range of ports such as

access-list outside_in extended permit tcp any host outside_ip eq 1024-1033

or do you have to do an access list for each port  separately?

Jon Marshall Wed, 07/28/2010 - 06:23

gmtimmons wrote:

can do an access list for a range of ports such as

access-list outside_in extended permit tcp any host outside_ip eq 1024-1033

or do you have to do an access list for each port  separately?

I'm assuming the device you are using is an ASA/Pix and it is running less than 8.3 software -

object-group service cameraports tcp

port-object range 1024 1033

access-list outside_in permit tcp any host outside_ip object-group cameraports

Jon

gmtimmons Wed, 07/28/2010 - 12:17

this is what I have  (not working)  suggestions?

static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 81 10.2.19.0 81 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 8007 10.2.19.0 8007 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 9898 10.2.19.0 9898 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 50000 10.2.19.0 50000 netmask 255.255.255.255

object-group service cameraports tcp
port-object range 1024 1033

access-list outside_in extended permit tcp any host 74.254.131.11 object-group camerapor
access-list outside_in extended permit tcp any host 74.254.131.11 eq 8007
access-list outside_in extended permit tcp any host 74.254.131.11 eq 9898
access-list outside_in extended permit tcp any host 74.254.131.11 eq 50000
access-list outside_in extended permit tcp any host 74.254.131.11 eq 81

access-group outside_in in interface outside

Jon Marshall Wed, 07/28/2010 - 12:21

Are you seeing any hits on your access-list entries ie. what does sh access-list show ?

Nagaraja Thanthry Wed, 07/28/2010 - 12:31

Hello,

I guess the ports open on the camera are different from what you are trying to configure. Are you trying to manage them via Web Console? If yes, could you please check to see what port they operate on? Once you find out that, you can do the following:

no static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255

static (inside,outside) tcp outside_ip 1024 10.2.19.1 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 netmask 255.255.255.255

If they are accessible via web port (80), then,

static (inside,outside) tcp outside_ip 1024 10.2.19.1 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 80 netmask 255.255.255.255

Hope this helps.

Regards,

NT

gmtimmons Wed, 07/28/2010 - 12:50

yes, I am getting hits on my access list       not sure on the port question.   basically the mfg of camera system left me a sheet that says tcp inbound port to be used for each item.....those ports being the 1024-1033 and the 81,8007,9898,50000     I will see if I can get in touch wiht them and ask

Nagaraja Thanthry Thu, 07/29/2010 - 07:59

Hello,

What is the default gateway on these devices? Are they pointing to the

firewall?

Regards,

NT

gmtimmons Thu, 07/29/2010 - 08:02

hmmmmmmm  great question... I think the camera guys set them up with the internal gateway, not the firewall...

.so you think it could be a routing issue?

Correct Answer
Nagaraja Thanthry Thu, 07/29/2010 - 08:12

Hello,

Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.

Regards,

NT

gmtimmons Thu, 07/29/2010 - 08:36

thanks to all..... it was a routing issue....  wrong gateway used by mfg's setting up the devices    working now

Actions

This Discussion