Am I doing static PAT correctly?

Answered Question
Jul 28th, 2010
User Badges:

I have a series of security cameras I have been asked to nat, but with limited public IP's I am going to have to use nat.

requirements are camera 1 using tcp inbound port 1024, camera 2 using port 1025, etc  

Do I just need these static commands to make this work:

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1025 netmask 255.255.255.255

etc

there are about 10 cameras total

fyi, I have nat configured and working for other items such as webservers, etc.

thanks in advance

Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.


Regards,


NT

Correct Answer by Jon Marshall about 6 years 8 months ago

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.


Jon

Correct Answer by ropakalns about 6 years 8 months ago

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.


Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside


Roberts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
ropakalns Wed, 07/28/2010 - 05:28
User Badges:

Hi!


Seems to me that you need


hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1024 netmask 255.255.255.255


But be sure that inside traffic goes out through the same outside interface IP


Roberts

gmtimmons Wed, 07/28/2010 - 05:33
User Badges:

sorry that was a typo, should have been


hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1025 netmask 255.255.255.255

Correct Answer
ropakalns Wed, 07/28/2010 - 05:38
User Badges:

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.


Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside


Roberts

Jon Marshall Wed, 07/28/2010 - 05:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ropakalns wrote:


I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.


Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside


Roberts


Roberts


There is a big difference between static (inside,outside) and static (outside,inside) eg.


static (inside,outside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means


1) traffic coming from the inside host with a source IP of 172.16.5.1 will be translated to a source IP of 192.168.5.1 as it leaves the outside

2) traffic coming from the outside with a destination IP of 192.168.5.1 will be translated to a desination IP of 172.16.5.1 as it leaves the inside


static(outside,inside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means


1) traffic from the inside with a destination IP of 192.168.5.1 will be translated to a destination IP of 172.16.5.1 as it leaves the outside

2) traffic coming from the outside with a src IP of 172.16.5.1 will be translated to a src IP of 192.168.5.1 as it leaves the inside


it's basically to do with whether you translate the source or destination IP and the direction.


Jon

gmtimmons Wed, 07/28/2010 - 05:43
User Badges:

also, do I need to make an access list entry for each one as well and can I use the same access list as I use for my other nats


(acl for other nats ex)  access-list outside_in extended permit tcp any host mailserver eq lotusnotes



access-list outside_in extended permit tcp any host outside_ip eq 1024

access-list outside_in extended permit tcp any host outside_ip eq 1025

Correct Answer
Jon Marshall Wed, 07/28/2010 - 05:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.


Jon

gmtimmons Wed, 07/28/2010 - 06:12
User Badges:

can do an access list for a range of ports such as



access-list outside_in extended permit tcp any host outside_ip eq 1024-1033


or do you have to do an access list for each port  separately?

Jon Marshall Wed, 07/28/2010 - 06:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

gmtimmons wrote:


can do an access list for a range of ports such as



access-list outside_in extended permit tcp any host outside_ip eq 1024-1033


or do you have to do an access list for each port  separately?



I'm assuming the device you are using is an ASA/Pix and it is running less than 8.3 software -


object-group service cameraports tcp

port-object range 1024 1033


access-list outside_in permit tcp any host outside_ip object-group cameraports


Jon

gmtimmons Wed, 07/28/2010 - 12:17
User Badges:

this is what I have  (not working)  suggestions?


static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 81 10.2.19.0 81 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 8007 10.2.19.0 8007 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 9898 10.2.19.0 9898 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 50000 10.2.19.0 50000 netmask 255.255.255.255


object-group service cameraports tcp
port-object range 1024 1033


access-list outside_in extended permit tcp any host 74.254.131.11 object-group camerapor
access-list outside_in extended permit tcp any host 74.254.131.11 eq 8007
access-list outside_in extended permit tcp any host 74.254.131.11 eq 9898
access-list outside_in extended permit tcp any host 74.254.131.11 eq 50000
access-list outside_in extended permit tcp any host 74.254.131.11 eq 81



access-group outside_in in interface outside

Jon Marshall Wed, 07/28/2010 - 12:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN



Are you seeing any hits on your access-list entries ie. what does sh access-list show ?

Nagaraja Thanthry Wed, 07/28/2010 - 12:31
User Badges:
  • Cisco Employee,

Hello,


I guess the ports open on the camera are different from what you are trying to configure. Are you trying to manage them via Web Console? If yes, could you please check to see what port they operate on? Once you find out that, you can do the following:


no static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255


static (inside,outside) tcp outside_ip 1024 10.2.19.1 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 netmask 255.255.255.255


If they are accessible via web port (80), then,


static (inside,outside) tcp outside_ip 1024 10.2.19.1 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 80 netmask 255.255.255.255


Hope this helps.


Regards,


NT

gmtimmons Wed, 07/28/2010 - 12:50
User Badges:

yes, I am getting hits on my access list       not sure on the port question.   basically the mfg of camera system left me a sheet that says tcp inbound port to be used for each item.....those ports being the 1024-1033 and the 81,8007,9898,50000     I will see if I can get in touch wiht them and ask

gmtimmons Thu, 07/29/2010 - 07:45
User Badges:

still no luck    I have removed most of my new entries.....attaching relavent info of my config

any other suggestions?

Attachment: 
Nagaraja Thanthry Thu, 07/29/2010 - 07:59
User Badges:
  • Cisco Employee,

Hello,


What is the default gateway on these devices? Are they pointing to the

firewall?


Regards,


NT

gmtimmons Thu, 07/29/2010 - 08:02
User Badges:

hmmmmmmm  great question... I think the camera guys set them up with the internal gateway, not the firewall...

.so you think it could be a routing issue?

Correct Answer
Nagaraja Thanthry Thu, 07/29/2010 - 08:12
User Badges:
  • Cisco Employee,

Hello,


Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.


Regards,


NT

gmtimmons Thu, 07/29/2010 - 08:36
User Badges:

thanks to all..... it was a routing issue....  wrong gateway used by mfg's setting up the devices    working now

Actions

This Discussion