Cisco Pix 515e 7.22 Transparent mode- When trying to connect to view offsite surveillance camera server, I am able to get a login prompt but a "connection failed" when trying to connect. I have bypassed the pix and it works fine so I have confirmed it's the Pix. To my understanding, this kind of traffic should not be blocked by default. Connecting to the surveillance system works fine from outside this network. Any ideas??
Sounds like its an inspection (or in your case a FIXUP) problem. The PIX needs to inspect the outgoing traffic in order to permit the return traffic, but you haven't explicitly told the PIX to watch for that kind of traffic.
Sorry, off the top of my head I'm not sure which one, but hopefully this points you in the right direction. Find out what codec the video system is using, maybe it H.323 or H.239 (?)
Thanks for the reply. Would FIXUP apply even though the device is in transparent mode where an upstream router is taking care of the NATing? The dvr claims to be using H.264 and they require ports 80 and 2000 for access the the web interface. I didnt think I needed to allow the codec since it is just a webpage with the camera display I am trying to view.
Ok so with those details I (and another engineer here that I showed your post to) don't think that FIXUP is your issue anymore. Unfortunately we're not sure what it is :-(
If the upstream router is NAT'ing properly, and it works without the L2 PIX, then it sounds like something else is going on. I'd suggest doing a WireShark packet capture on your test machine while also doing a packet capture on the PIX. Also take a close look at the logs on the PIX - my guess is some part of the return traffic is getting denied. How about doing a "permit IP any any" on the PIX out to the remote camera webpage? e.g. take ACLs out of the picture. That way you can be sure it really isn't a FIXUP issue and see where the problem lies.
Sorry for not being more helpful. This might be an issue for TAC.
Again, I appreciate your help. The NAT'ing is working correctly because I can bypass the PIX and it works fine.I have already tried "permit IP any any" on the outside interface incoming with the same results. I will take your good advice and wireshark it and try to filter the logs to catch the problem.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :