Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2685
Views
0
Helpful
4
Replies

ASA 5510 and web camera access

cwiuser01
Level 1
Level 1

‎12-08-2009 07:31 PM - edited ‎03-11-2019 09:46 AM

I have a ASA 5510 firewall on the outside of my network.  I can view a web camera internally after logging into the camera with no problems.  On the firewall I created a NAT entry to connect a extenal IP to view the web camera from a public IP.  For testing purposes I allowed all IP to connect to the internal address.  I can get to the login screen of the web camera, but it does not log in.  Instead I get an DVROCXex error.  I do not get this same error when accessing from the internal network.

Wireshark shows tcp ports in the 2000 to 3000 in addition to the 80 for the http.

Any thoughts as to what is stopping the connection to the web camera?

Labels:
0 Helpful
4 Replies 4

krishnadas.R_2
Level 1
Level 1

‎12-14-2009 03:40 AM

HI,

We can assume that since you are getting the login prompt, connectivity and NAT is working.

Check if the connection is getting redirected to a diffrent port after you enter the login credentials.

0 Helpful

cwiuser01
Level 1
Level 1
In response to krishnadas.R_2

‎12-14-2009 12:41 PM

Thanks for the response.

It was not so much that ports were being redirected but rather the Q-See DVR uses prot 2000 as the default for the video.  Since this is the port that phone traffic uses, then the Firewall was doing something to the packets when they were translated, thus not allowing viewing of the video.

I believe that port 2000 is Cisco-sccp.

Solution is to change the DVR port to something else. All that is then needed to pass thru the firewall is port 80 and port 2001 (which is what I changed the port to).

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to cwiuser01

‎12-14-2009 03:33 PM

You can still keep it at tcp 2000 but, make sure not to inspect skinny for this flow.  If you change it to 2001 then you just need to allow this in the acl (if you have one on the higher security interface).

Is it working? or not?

-KS

0 Helpful

cwiuser01
Level 1
Level 1
In response to Kureli Sankar

‎12-14-2009 08:20 PM

We tried it with the skinny inspect off, but that still did not allow the

video to come thru.  The only thing that worked was changing the port of the DVR, which is pretty simple to do.  So we just changed port to 2001 and then open it up in the firewall and closed 2000.\

It works just fine after that.  Case closed.

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card