[toostje_85]

Hello,

I'm using a Cisco 836-modem to make connection with the internet.
Everything is working fine. (Internet, Incoming Mail, Outgoing Mail), except displaying ip-camera's within software.

When using the same software in another network, it's working.

The cameras are IP-Cameras, which are located elsewhere and are directly connected to the internet through different ports. (80, 81, 8081, 8082, etc)

When viewing the camera in Internet Explorer everything is working. Only not in the software.

I think the Cisco-modem is blocking something, but I cannot find where.

Can someone please help me.

Best regards,
Joost Lauwen

[auglan]

Are you using CBAC or Zone based firewall. Please post a sanitized config.

[toostje_85]

Code:

Building configuration...
Current configuration : 6211 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco-836
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ***
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa authorization network sdm_vpn_group_ml_2 local 
aaa session-id common
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 
   default-router 10.10.10.1 
!
!
ip tcp synwait-time 10
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ip bootp server
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip port-map pop3 port 110 list 2
no ftp-server write-enable
!
!
username Admin privilege 15 secret 5 ***
!
! 
crypto isakmp xauth timeout 15
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 no cdp enable
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 no cdp enable
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 8/48 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 120 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ***
 ppp chap password 7 002F2328
 ppp pap sent-username *** password 7 ***
!
ip local pool SDM_POOL_1 10.10.10.51 10.10.10.100
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.10 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.10 110 interface Dialer0 110
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 remark Inbound external interface 
access-list 120 remark CCP_ACL Category=17
access-list 120 permit udp host 8.8.4.4 eq domain any
access-list 120 permit udp host 8.8.8.8 eq domain any
access-list 120 remark The below set the rfc1918 private exclusions 
access-list 120 deny   ip 192.168.0.0 0.0.255.255 any
access-list 120 deny   ip 172.16.0.0 0.15.255.255 any
access-list 120 deny   ip 10.0.0.0 0.255.255.255 any
access-list 120 remark Allow established sessions back in 
access-list 120 permit tcp any any established
access-list 120 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 3389
access-list 120 permit tcp any any eq 22 log
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data
access-list 120 remark Passive FTP ports matching vsftpd config 
access-list 120 permit tcp any any range 50000 50050
access-list 120 permit gre any any
access-list 120 permit udp any eq domain any
access-list 120 remark Standard acceptable icmp rules 
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any source-quench
access-list 120 permit icmp any any packet-too-big
access-list 120 permit icmp any any time-exceeded
access-list 120 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_2 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end

[auglan]

From your config you are running CBAC. I assume when connecting to these cameras with the browser it is over port 80. From the inside network to the outside, this session is being inspected by CBAC and the return traffic is allowed back through based on a connection existing in the firewall state table.

show ip inspect sessions


Is the camera software itself using some different ports? If so what ports is it using? You can add custom ports to CBAC and ZBPF using ip port-map commands. If the firewall is dropping the packets you can use the command:


ip inspect log drop-pkt to see if CBAC is indeed dropping the traffic. I would log this to the buffer or to syslog as if you log this to the console you may get locked out if there are alot of drops.

[toostje_85]

I have 4 camera's. They are all using a different port. 80, 8080, 8081, 8082.

The software is using the same address as we use in Internet Browser.
For example: http://ipaddress:8080

[auglan]

When you try to connect with the software do you see the connection in the state table?


show ip inspect sessions


Also from looking at your dialer interface (the internet facing interface) I dont see an acl inbound from the outside. CBAC requires that ACL in order to do the inspection. Even if its a deny any.

[toostje_85]

when using the

Code:

show ip inspect session

line, I see the connection to the 2 camera's defined in the table.

Code:

Session 81C0ACC0 <10.10.10.100:49380>=><31.161.117.*:8081> tcp SIS_OPEN

and

Code:

Session 81C0FDC0 <10.10.10.100:49379>=><188.204.130.*:80> tcp SIS_OPEN

I replaced the last digit of the address with * for security reasons.

[auglan]

Well the tcp session is getting established. What do you see from the software client? Anything? Also did you log the drops? Did you add the ACL inbound to the outside interface?



ip inspect log drp-pkt

[toostje_85]

The software is not showing anything.

The log cannot be shown, when using the command

Code:

ip inspect log drp-pkt

.

Can you tell how i setup the inbound ACL?

[auglan]

Are you logging to the buffer?



logging buffered 5


show log




CBAC requires the ACL coming inbound on the outside interface.


Example:


ip access-list CBAC_OUTSIDE_IN extended
deny ip any any

Dialer0
ip access-group CBAC_OUTSIDE_IN in




This ACL will deny any traffic initiated from the outside to inside. If a session already exists in the firewall's state table (initiated from inside to outside and was inspected with CBAC then the return traffic will be permitted through as the return flow is part of an existing flow in the state table. IOS firewall (and the ASA) first check the state table for a valid session and if one exists then the traffic is permitted effectively bypassing the ACL. If you are hosting servers internally you will need to add exceptions manually in this ACL.