Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Am I doing static PAT correctly?

I have a series of security cameras I have been asked to nat, but with limited public IP's I am going to have to use nat.

requirements are camera 1 using tcp inbound port 1024, camera 2 using port 1025, etc  

Do I just need these static commands to make this work:

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip 1025 netmask 255.255.255.255

etc

there are about 10 cameras total

fyi, I have nat configured and working for other items such as webservers, etc.

thanks in advance

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Am I doing static PAT correctly?

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

Hall of Fame Super Blue

Re: Am I doing static PAT correctly?

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.

Jon

Cisco Employee

Re: Am I doing static PAT correctly?

Hello,

Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.

Regards,

NT

18 REPLIES
New Member

Re: Am I doing static PAT correctly?

Hi!

Seems to me that you need

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1024 netmask 255.255.255.255

But be sure that inside traffic goes out through the same outside interface IP

Roberts

New Member

Re: Am I doing static PAT correctly?

sorry that was a typo, should have been

hostname (config)# static (inside,outside) tcp outside_ip 1024 insided_ip1 1024 netmask 255.255.255.255

hostname (config)# static (inside,outside) tcp outside_ip 1025 insided_ip2 1025 netmask 255.255.255.255

New Member

Re: Am I doing static PAT correctly?

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

Hall of Fame Super Blue

Re: Am I doing static PAT correctly?

ropakalns wrote:

I have red that there is no diffrence between static (inside, outside) and static (outside, inside), but

as I have seen, static (outside,inside) inside IP outside IP does not work for me, maybe somebody knows why? For the same reason I don't 100% believe that the mentioned entries make a return path correct, but I might be wrong with understanding this.

Anyway, looks fine for me. What's the problem - does it not work for you? If so, have you the correct ACL applied? But yes, the syntax is static (inside,outside) outside inside

Roberts

Roberts

There is a big difference between static (inside,outside) and static (outside,inside) eg.

static (inside,outside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means

1) traffic coming from the inside host with a source IP of 172.16.5.1 will be translated to a source IP of 192.168.5.1 as it leaves the outside

2) traffic coming from the outside with a destination IP of 192.168.5.1 will be translated to a desination IP of 172.16.5.1 as it leaves the inside

static(outside,inside) 192.168.5.1 172.16.5.1 netmask 255.255.255.255 means

1) traffic from the inside with a destination IP of 192.168.5.1 will be translated to a destination IP of 172.16.5.1 as it leaves the outside

2) traffic coming from the outside with a src IP of 172.16.5.1 will be translated to a src IP of 192.168.5.1 as it leaves the inside

it's basically to do with whether you translate the source or destination IP and the direction.

Jon

New Member

Re: Am I doing static PAT correctly?

also, do I need to make an access list entry for each one as well and can I use the same access list as I use for my other nats

(acl for other nats ex)  access-list outside_in extended permit tcp any host mailserver eq lotusnotes

access-list outside_in extended permit tcp any host outside_ip eq 1024

access-list outside_in extended permit tcp any host outside_ip eq 1025

Hall of Fame Super Blue

Re: Am I doing static PAT correctly?

If you have an existing access-list on the outside interface then yes you will need to add entries to the existing acl for your cameras.

Jon

New Member

Re: Am I doing static PAT correctly?

can do an access list for a range of ports such as

access-list outside_in extended permit tcp any host outside_ip eq 1024-1033

or do you have to do an access list for each port  separately?

Hall of Fame Super Blue

Re: Am I doing static PAT correctly?

gmtimmons wrote:

can do an access list for a range of ports such as

access-list outside_in extended permit tcp any host outside_ip eq 1024-1033

or do you have to do an access list for each port  separately?

I'm assuming the device you are using is an ASA/Pix and it is running less than 8.3 software -

object-group service cameraports tcp

port-object range 1024 1033

access-list outside_in permit tcp any host outside_ip object-group cameraports

Jon

New Member

Re: Am I doing static PAT correctly?

this is what I have  (not working)  suggestions?

static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 81 10.2.19.0 81 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 8007 10.2.19.0 8007 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 9898 10.2.19.0 9898 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 50000 10.2.19.0 50000 netmask 255.255.255.255

object-group service cameraports tcp
port-object range 1024 1033

access-list outside_in extended permit tcp any host 74.254.131.11 object-group camerapor
access-list outside_in extended permit tcp any host 74.254.131.11 eq 8007
access-list outside_in extended permit tcp any host 74.254.131.11 eq 9898
access-list outside_in extended permit tcp any host 74.254.131.11 eq 50000
access-list outside_in extended permit tcp any host 74.254.131.11 eq 81

access-group outside_in in interface outside

Hall of Fame Super Blue

Re: Am I doing static PAT correctly?


Are you seeing any hits on your access-list entries ie. what does sh access-list show ?

Cisco Employee

Re: Am I doing static PAT correctly?

Hello,

I guess the ports open on the camera are different from what you are trying to configure. Are you trying to manage them via Web Console? If yes, could you please check to see what port they operate on? Once you find out that, you can do the following:

no static (inside,outside) tcp outside_ip 1024 10.2.19.1 1024 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1025 10.2.19.2 1025 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1026 10.2.19.3 1026 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1027 10.2.19.4 1027 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1028 10.2.19.5 1028 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip1029 10.2.19.6 1029 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1030 10.2.19.7 1030 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1031 10.2.19.8 1031 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1032 10.2.19.9 1032 netmask 255.255.255.255
no static (inside,outside) tcp outside_ip 1033 10.2.19.10 1033 netmask 255.255.255.255

static (inside,outside) tcp outside_ip 1024 10.2.19.1 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 netmask 255.255.255.255

If they are accessible via web port (80), then,

static (inside,outside) tcp outside_ip 1024 10.2.19.1 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1025 10.2.19.2 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1026 10.2.19.3 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1027 10.2.19.4 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1028 10.2.19.5 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip1029 10.2.19.6 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1030 10.2.19.7 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1031 10.2.19.8 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1032 10.2.19.9 80 netmask 255.255.255.255
static (inside,outside) tcp outside_ip 1033 10.2.19.10 80 netmask 255.255.255.255

Hope this helps.

Regards,

NT

New Member

Re: Am I doing static PAT correctly?

yes, I am getting hits on my access list       not sure on the port question.   basically the mfg of camera system left me a sheet that says tcp inbound port to be used for each item.....those ports being the 1024-1033 and the 81,8007,9898,50000     I will see if I can get in touch wiht them and ask

New Member

Re: Am I doing static PAT correctly?

still no luck    I have removed most of my new entries.....attaching relavent info of my config

any other suggestions?

New Member

Re: Am I doing static PAT correctly?

ok for the port question   they arent using port 80, but the ports stated........internally I can access   http://inside_ip:1024   ex   but not http://outside_ip:1024  

Cisco Employee

Re: Am I doing static PAT correctly?

Hello,

What is the default gateway on these devices? Are they pointing to the

firewall?

Regards,

NT

New Member

Re: Am I doing static PAT correctly?

hmmmmmmm  great question... I think the camera guys set them up with the internal gateway, not the firewall...

.so you think it could be a routing issue?

Cisco Employee

Re: Am I doing static PAT correctly?

Hello,

Most likely that could be the issue because your configurations look good.

Please check the default gateway and see if we can somehow point it to the

ASA or route the traffic to ASA.

Regards,

NT

New Member

Re: Am I doing static PAT correctly?

thanks to all..... it was a routing issue....  wrong gateway used by mfg's setting up the devices    working now

492
Views
5
Helpful
18
Replies