Cisco Firewall :: ASA 5510 Q.264 Video From Axis Outdoor Camera Denied
Apr 9, 2012
I have a customer with a Cisco ASA 5510 firewall, an inside network containing a Genetec video recording server, and cameras installed on broadband modems throughout the area (each with a public IP). They've recently purchased Axis Q6034-E cameras that use H.264 to stream back to the video recording server. The camera has a view mode where you can watch it through H.264 or Motion JPEG. The view with M-JPEG works, but when I switch to H.264 the video stream is denied. We have allowed RTSP, RTP, and HTTP (it's setup with only http, not 443)traffic from the camera address on the cable company public network but are still being denied the video stream. The recording software requires that the feed come from the H.264 feed, so the motion jpeg does not fix the underlying issue of being able to record.
We know it's the firewall because if we install the camera on the inside network, the video feed in H.264 works to the recorder.
How to enable something special on the firewall to allow traffic through from the device?
View 1 Replies
ADVERTISEMENT
Oct 24, 2011
Where can you get a replacement lens for the DCS-70 Outdoor enclosure?
View 3 Replies
View Related
Mar 13, 2012
I have a setup using an ASA 5510 8.2(2). In the DMZ (192.168.12.x) there is a server, switch and multiple cameras for surveillance of the site. In the Inside (140.152.25.x) are the pcs that can run the client software to view the video feed, or it can pull from the server in the DMZ.
On the server in the DMZ, you can see the feed, along with any pc you connect to that network. On any machine on the Inside, or through VPN, you cannot either with the client software or pulling from the surveillance server.
I am watching the connection through ASDM and don’t see any particular port being blocked, but I do see TCP connections being terminated by inspection. So far I’ve taken out inspections for http and rstp. I don’t really see anything else that would drop video. I've attached the error I keep seeing.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code].....
View 7 Replies
View Related
Dec 27, 2011
There are two Polycom devices behind ASA (Terminal HDX7000 and MCU RMX1000), ASA is connected to Cisco 1900 router which is connected to ISP.
Polycom devices are NATed (unique global address per device) on router and h323 inspection is done on ASA. The issue is that when trying to connect from outside to conference on MCU I don't receive any video (but MCU shows me like a connected participant). The same is true when MCU try to call outside terminals, they are shown as connected participants, but there is just a black screen. On ASA all ports are opened (both in and out) and there are no ACLs on router. And what means NAT configuration on Polycom devices, why it is needed when NATing is done on router (such configuration option I've seen also on Tandberg and another vendor's devices)?
View 5 Replies
View Related
May 4, 2011
I am using ASA 5510 and I have a specific problem with Http Connection to receive a video Flow ( RSTP protocol ) in the LAN. Some Pc users (192.168.1.133,in the log) with ASA Lan Interface as gateway can ping the Camera but don't receveive the video flow.Some Pc users (192.168.1.116,in the log) using another gateway can ping and receive the video flow. I used Whireshark to capture traffic between camera and Pc using the 2 gateway. I joined Logs with this message.It seems to be a problem of TCP segments on the ASA, I try to changed some TCP options but it's still the same:- Disable Force Maximum Segment Size- Enable Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Second.
View 7 Replies
View Related
Nov 7, 2011
We have just acquired a cisco profile 42 video conferencing equipment and am required to open ports for SIP and H232, any pointers on hw that can be acquired i have a cisco ASA 5510, Some one told me to open port 16384 but i need pointers on how to do it becuase I already set an access list to any.
the config
Internet -> ASA 5510 -> Switch -> Profile 42 and other devices
View 5 Replies
View Related
Mar 7, 2013
Trying to set-up a priority queue for Voice and Video traffic, below is the current ASA config. The WAN link is 6mb, trying to limit the Internet traffic to 4mb and save 2mb for the PQ, config belowTraffic just isn't hitting the PQ
priority-queue outside
queue-limit 512
tx-ring-limit 200
!
class-map Video
description Video
match dscp af31
[code]....
View 6 Replies
View Related
Jun 17, 2010
I recently bought 3 DCS-920 to monitor my home while at the office. However I can't seem to get the damned things to stream video using the dyndns service. I linked my router to the dyndns account and host service. I portforward the ports my cameras are assigned. Up to this point its all good, I can access the cameras and their settings pages while outside. However both the Java and ActiveX options for video streaming do not work. Even within the network, using their raw IPs to view the cameras the videos stream works.But putting in the hostname and port they are assigned brings up the camera page, but no video.I can only assume the ports the video and audio run on are seperate, as when I put one camera's IP in the DMZ host on my router, it works with the DNS. Unforunately I can only do that with 1, and I'd rather not do that at all.
View 6 Replies
View Related
Apr 11, 2011
is there any way of getting the DCS-2121 cameras to register as a windows "video" device? I am running windows 7 and would like to use the remote cam as a video device in a desktop app - Microsoft OCS.
View 1 Replies
View Related
Apr 28, 2011
Connection denied due to NAT reverse path failure
View 2 Replies
View Related
Aug 5, 2012
I have problem i want to access to my http server in my local network from outside
192.168.2.42 : it my server http
195.X.X.X its my internet IP but it was connected in eth 0/4
static (DMZ,Orange) 195.X.X.X 192.168.2.42 netmask 255.255.255.255
access-list outside-acl permit tcp any host 195.X.X.X eq 80
access-group outside-acl in int orange
but its not good why
View 15 Replies
View Related
Jan 1, 2012
I consider the NAT mechanism to be quite straight forward, but although the firewall ACLs allow the traffic, it is being denied. The ASDM log and packet-tracer indicate the problem being an ACL.
# the internal resource
object network mabe-mbp
host 10.0.0.36
!
# these are ALL of the rules on the outside/inside interfaces
access-list outside_access_in extended permit tcp host 1.2.3.90 any eq 12380 log disabled
access-list outside_access_out extended permit ip any any log
access-list inside_access_in extended permit ip any any log
access-list inside_access_out extended permit ip any any log (code)
View 2 Replies
View Related
Oct 6, 2011
I configured an ASA 5505 a couple of weeks ago. Every thing is working properly except it sends irritating messages to the syslog server. Her is an example of the message:
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/252 flags PSH ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/2252 flags ACK on interface outside.
View 1 Replies
View Related
Jan 14, 2013
I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:
%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.
I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?
View 4 Replies
View Related
Feb 19, 2012
I have a website that is hosted by our company, but when the staff goes to the outside address of th website it gets denied by ACL thus page not found.
3Feb 20 201211:25:23192.168.3.5752928our Extrenal IP80TCP access denied by ACL from 192.168.3.57/52928 to inside: our External IP/80,OUr external ip is also the ip of the 5505.
View 1 Replies
View Related
May 6, 2012
I have ASA5505 configured with internal network as 192.168.15.0 and default gateway 192.168.15.1 From the inside network, i'm able to access internet and able to ping all website (enabled ping). and all internel network devices can ping each other. Except i cannot ping my gateway (ASA5505) 192.168.15.1. I'm continously seeing this message on the log, when i tried to ping.. How to fix this?
Denied ICMP type=8, code=0 from 192.168.15.xxx on interface inside
replace xxx with my network devices that try to ping the gateway..I dont want outsiders ping my gateway, i need ping for inside internal network only.
View 5 Replies
View Related
Jun 24, 2012
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
View 4 Replies
View Related
May 28, 2013
I am attempting to allow traffic from one vlan to another.Vlan 1 is on Interface 0/2.vlan1Vlan 2 is on int 0/3.vlan2Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients My problem is that I am unable to communicate between the two vlans. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). It appears as if the packet never reaches the other interface. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. Testing from either vlan to connect to the other fails. Below are the accee-rules for each vlans. Once I get basic connectivity working.
access-list aVlan1; 3 elements; name hash: 0xadecbc34
access-list aVlan1 line 1 extended permit ip any 192.168.151.64 255.255.255.192 (hitcnt=0) 0xeb0a6bb8
access-list aVlan1 line 2 extended permit ip any 192.168.151.128 255.255.255.128 (hitcnt=0) 0x3a7dfade
access-list aVlan1 line 3 extended permit ip any 192.168.151.0 255.255.255.0 (hitcnt=0) 0x93302455
access-list aVlan2_access_in; 3 elements; name hash: 0x6dc9adc7
access-list aVlan2_access_in line 1 extended permit ip 192.168.151.64 255.255.255.192 192.168.150.0 255.255.255.240 (hitcnt=0) 0x054508b7
access-list aVlan2_access_in line 2 extended permit ip 192.168.151.128 255.255.255.128 192.168.150.0 255.255.255.240 (hitcnt=0) 0xc125c41e
access-list aVlan2_access_in line 3 extended permit ip host 192.168.151.3 192.168.150.0 255.255.255.240 (hitcnt=0) 0x4adc114c
View 19 Replies
View Related
Mar 16, 2013
I am trying to troubleshoot a problem where in one of my remote site is not able to access some networks at HQ over Site to SIte VPN ( asa 5505 at Remote and 5520 at HQ). I ran packet tracer and HQ ASA looks clean as everything came out as ALLOW. Remote site ASA packet tracer give me DROP out at Phase 9 (VPN). I am not very sure what to look in ASA for resolution now. Is it an access list that is blocking the traffice or VPN setup.
View 5 Replies
View Related
Jul 4, 2012
I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5 Jul 05 2012 09:45:15 305013 monitoringsystem Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?
View 1 Replies
View Related
May 11, 2012
I asked a question recently about accessing camera via a smartphone but I realize that's not really the correct question. The smartphone works fine locally with wifi and has a browser available.
The real question I have is what is the easiest way to access any camera via a browser from a remote location. Years ago tech friend assisted me access my DCS-910 using dyndns.org. It was free and worked great. I guess it went away when they started charging for a basic account.
Is there an easy way to access a camera without using dyndns even if it involves putting in an IP address instead of a convenient domain name? I would just like to see at least one of my cameras in a browser off-site. If I have to pay $20/year for dyndns I can but I would prefer not to if possible.
View 2 Replies
View Related
Jul 20, 2011
I have this problem with the Polycom Video Conferencing (HDX 7000) While we can initiate a video call to other locations, we can not receive a video call from other locations. Whenever there is a incoming call, the polycom is ringing fine. but once we answer the call, the call will be disconnected. Our access rules are listed below, 203.125.99.99 is our public IP for example.
View 1 Replies
View Related
Apr 19, 2012
I have a camera set up in my kitchen and it works and I can view it in our house, on other computers or my iphone. But I can't view it from my work or anywhere outside our wireless range.It is a DCS-920. I have opened port 80, and checked it with a port checker and it says its open. I have bell as a provider with a 2 wire 2701hg-g modem.I read on here about someone else not having a gateway address or primary DNS. I don't know what to put in there. My camera address is 192.168.2.20.
View 4 Replies
View Related
Aug 19, 2012
I am trying to set up a Cisco ASA 5510 running 8.2 to allow a connection to a Polycom camera that sits behind it. What I want to do is forward multiple ports to allow a connection from an outside office. The polycom camera uses the following ports:
1720 tcp
3230-3235 tcp
3230-3253 udp
I got these port numbers from the Polycom web site. So what I did was create a service object as follows:
object-group service All-Polycom-ports
service-object tcp range 3230 3235
service-object tcp eq h323
service-object udp range 3230 3253 My question is how can I use this service object in a static (inside,outside)
command so that I don't have to create multiple commands for the port forwarding. Is this even possible or do I have to sit down and write out around 30 seperate commands to do this. I've been searching the web and it seems a lot of people want to do this but so far I haven't found an answer.
View 3 Replies
View Related
Dec 26, 2010
Running FWSM Firewall Version 3.1(4)
The problem is that calls originating from the outside of the firewall to the inside will ring but you cannot answer. The internal video conference server is a Polycom HDX 7000. There are ANY/ANY rules to/from this server and the default application inspection policy is set for h323/ras/h225 as follows:
[code]...
View 2 Replies
View Related
Oct 19, 2010
my client wants to make videoconference call thorugh Microsoft Office Communicator, this should be operating between host from one site to another one, but we already configured some rules in the firewalls, and making some test I see that the videoconference use dynamic ports (1024 to 65535) and if we let to operate the videoconference we should remove all the rules in the firewall and that's not the point.
View 6 Replies
View Related
May 21, 2011
We're upgrading our network (formerly 1 router, 1 outdoor antenna, and 1 router converted to a repeater) to provide wireless coverage for our members at a small beach club. To save money, our usual electrician will be running all the cabling for added antennas and repeaters; the networking guy will then do the terminations and hook up the equipment he's determined will work best for us. I'm supposed to order 1000' of cat 6 cable for the electrician to use, but I didn't realize there were so many options - I need to order the cable asap (i.e. today!), and neither the electrician or network guy are available over the weekend. The cable will be run from our office to our front gate, and to several outbuildings; buried underground for most of the first case, and run along the outside of and through several shed-like wooden structures in the other cases. The longest run will be about 250'. Because of our location the unburied cable would be exposed to salt air, sun, wind and rain, so I'm assuming it'll be run through plastic conduit or something where it needs to be outside.Do I want regular cat 6 or cat 6a? Double PVC shielded, gel-filled flooded, shielded mylar foil, or something I haven't yet run across?
View 1 Replies
View Related
Mar 9, 2012
Have a site that has a 1522 installed. I need to add two new outdoor AP's. Would the 1550 work along with the 1522 or would I have to replace it?
View 2 Replies
View Related
Feb 4, 2013
We currently have some LAP1242AG AP's meshed together inside our building.The owner (without consulting IT) was able to aquire some LAP1510AG's that he want's to deploy for outdoor use.Can they be meshed into our current network without having to cable one of the 1510's to the network?
View 1 Replies
View Related
Jul 29, 2011
I am installing 60 meters of overhead telephone cables between two buildings. which is better cat5 or cat 6 in terms of durability?
View 3 Replies
View Related
Mar 17, 2011
What is the difference between Indoor and Outdoor WiFi?
View 1 Replies
View Related
Jul 30, 2012
I've been tasked with providing wireless coverage for an outdoor courtyard. The wireless that bleeds out into the courtyard is minimal for both 2.4 and 5 Ghz bands. I'm thinking a 3502p mounted just inside the wall hooked to a ANT25137NP-R patch antenna mount on an exterior wall. The red line on the wall will represent the antenna mounted on the wall. This will be providing coverage for phones on 5Ghz and general devices on 2.4.
View 5 Replies
View Related
Dec 30, 2012
My problem ist that i have 4 air-cap-1552e APs witch are powerde trugh Power Injectors. They worked fine for a few days but then the controller (7.2.111.3) lose connection to them. Right now i have only one Joined AP. The other 3 are status not joined. I can Ping all 4 Aps and wifi clients are connected through them.
View 8 Replies
View Related
