Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.


Port forwarding Issue


I have a customer who purchased a GE IP Camera / DVR for one of their remote sites and we're having problems accessing it from behind our ASA 5520s 7.2(4).

What I've discovered is that when any user connects to the DVR's external IP, the webpage loads and then the DVR creates a seperate inbound connection on port 5858 (TCP or UDP are selectable)which carries the video stream.

Outbound users are PAT'd to a single external IP, so as you can see... we have an issue.

GE is saying that port 5858 needs to be forwarded, but I don't see the feasibility of this in an environment where there are multiple users that would need this port forwarded without assigning them a static external IP.

Is there an inspect statement I can enter to make this work? This scenario is very similar to how a PPTP VPN works... TCP connection on port 1723 and then the server initiates an inbound GRE tunnel, The "inspect PPTP" command allows this to work.

I've found the connection will work if I statically map a host to an external IP and then put an explicit ACL statement in allowing the DVR IP to the external IP on TCP port 5858.

What can I do at this point to make it work? Can I create a custom "Inspect"? The IP of the DVR is static if that makes any difference.



Re: Port forwarding Issue

I'm not sure if you cn create a custom inspect or not (certainly would make sense that you can), but you could also use FTP inspection and change the inspection to port 5858. Here's a link on how to do that.

Hope that helps.


Re: Port forwarding Issue

Thanks for the reply. We are already using the FTP inspection with it's default settings. Is it possible to create another "Instance" of it? Thanks.

New Member

Re: Port forwarding Issue

Yes you can. See the above link from collin_clark and scroll down.

Configure FTP protocol inspection on non standard TCP port

You can configure the FTP Protocol Inspection for non standard TCP ports with these configuration lines (replace XXXX with the new port number):

access-list ftp-list extended permit tcp any any eq XXXX


class-map ftp-class

match access-list ftp-list


policy-map global_policy

class ftp-class

inspect ftp

CreatePlease to create content