cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public Port - Port forwarding 1-65000

SOLVED
Go to solution
TimBisel
Getting noticed
‎07-19-2018 09:13 AM
‎07-19-2018 09:13 AM

Public Port - Port forwarding 1-65000

So this seems like a very bad idea to me. But I am not the sharpest one when it comes to port forwarding. This was done from a consultant for our company. Camera system needs to be view able from outside network and is not meraki. But currently settings are like below.

 

Uplink: Both

Protocol:TCP

Public Port: 1-65000

Local Port: 80

Allowed remote IP's: any

 

Cameras are accessed my multiple people who are remote and travel a lot, specifying IP's is not practical and they are against VPN to do this because some are note domain users.

 

My questions are around Public port. With it like this, isn't it a rather large security risk allowing anything going to the public IP on almost any port straight through the firewall? And wouldn't it be directing all the traffic from outside directly to the camera?

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
WadeAlsup
A model citizen
‎07-19-2018 09:46 AM
‎07-19-2018 09:46 AM

Hi @TimBisel

 

I would agree that this wouldn't be my ideal setup, albeit I'm sure it gets the job done...

 

Do they need access to each individual camera externally? Or are they only accessing an NVR that all of the cameras are connected to? If it's the latter, you should only have to specify a single IP for the NVR. You would also want to identify what public port needs to be opened and narrow the exposure to that device. Probably could be found in the configuration of the NVR. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

View solution in original post

Subscribe
4 REPLIES 4
WadeAlsup
A model citizen
‎07-19-2018 09:46 AM
‎07-19-2018 09:46 AM

Hi @TimBisel

 

I would agree that this wouldn't be my ideal setup, albeit I'm sure it gets the job done...

 

Do they need access to each individual camera externally? Or are they only accessing an NVR that all of the cameras are connected to? If it's the latter, you should only have to specify a single IP for the NVR. You would also want to identify what public port needs to be opened and narrow the exposure to that device. Probably could be found in the configuration of the NVR. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Subscribe
In response to WadeAlsup
Adam
Kind of a big deal
‎07-19-2018 10:23 AM
‎07-19-2018 10:23 AM

At that point you'd be better to do a 1:1 NAT and only let port 80 through.  But if they'd need to NAT any of those other ports to something else it'd be a waste.  Seems lazy to me.  Would be far more secure to only map through the ports it needs.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Subscribe
TimBisel
Getting noticed
‎07-19-2018 11:41 AM
‎07-19-2018 11:41 AM

Thanks guys I am new at company and still need to build the trust in. Was able to convince him to let me trim it down to the one needed port. It connects back to a server so I was able to do it with just one port.

Subscribe
In response to TimBisel
Adam
Kind of a big deal
‎07-19-2018 01:16 PM
‎07-19-2018 01:16 PM

@TimBisel wrote:

Thanks guys I am new at company and still need to build the trust in. Was able to convince him to let me trim it down to the one needed port. It connects back to a server so I was able to do it with just one port.

Nice work, you've done your security deed for the day. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2023 Meraki