Other way around, the dvr is not behind the asa, the users attempting to connect to it are.

Hi,

Well in that case you will only need the basic Dynamic PAT configuration with regards to NAT. I assume this is already in place as otherwise no external connection from your LAN would not work.

I dont see how your ACLs are configured and attached to interfaces but judging from its name the ACL in question might be attached with the following command

access-group outside-in in interface outside

If so, then this ACL only controls connections initiated from behind the "outside" interface.

If you have an ACL attached to the "inside" interface then you would have to make sure the traffic is allowed in that ACL

You can test the rules/configurations applied to the traffic with the "packet-tracer" command

packet-tracer input tcp 12345 2000

This should simulate and tell us what would happen to a connection coming from your LAN through the ASA towards the DVR with destination port TCP/2000. Naturally you will have to replace the above with some LAN user IP address.

- Jouni

>I dont see how your ACLs are configured and attached to interfaces  but judging from its name the ACL in question might >be attached with the  following command

>access-group outside-in in interface outside

Yes that is correct.  I ran the packet-tracer command as you suggested and it appear that it allows everything.

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Yet I still can't seem to get this to connect.  If I connect the workstation to a connection that is not behind the ASA it connects without issue.

Hi,

I would probably monitor the logs while connecting to see if anything gets blocked or if the connections get through what happens to them when the logs show the "Teardown" message for the connections. This is probably easiest done through the ASDM monitor/logging section.

- Jouni

Hi,

I got the picture atleast that the users are behind the ASA and the DVR is at some remote location.

If that is the case then there should already be a default route and I would imagine from the DVRs perspective should also be fine.

- Jouni

Jouni, as he mentioned that he is allowing the traffic frm outside, then DVR should be Inside, defualt route on the FW will be to outside, and he needs to add a static route to DVR network through the Inside network

Though it was mentioned that the users are behind the ASA and I doubt they are behind the "outside" interface or it would be a pretty uncommon/wierd setup. Which again would mean that the DVR is behind the "outside" interface.

But again this would be clearer if could see actual configurations

- Jouni

Yes, it's layed out like this:

DVR <-> Internet <-> ASA <-> users

I attached my config if that would give you a better idea of how we are setup, I removed the access-list for the port 2000 because it didn't make any difference and I wanted you to see the config before i edited it.  Any other ideas?

>So I am wondering if the

>"inspect skinny"

>is causing the traffic to drop?

Thank you thank you thank you!!!! That was indeed the issue!