Meraki

Community

Public Port - Port forwarding 1-65000

Solved
TimBisel
Getting noticed
‎Jul 19 2018 9:13 AM
‎Jul 19 2018 9:13 AM

Public Port - Port forwarding 1-65000

So this seems like a very bad idea to me. But I am not the sharpest one when it comes to port forwarding. This was done from a consultant for our company. Camera system needs to be view able from outside network and is not meraki. But currently settings are like below.

 

Uplink: Both

Protocol:TCP

Public Port: 1-65000

Local Port: 80

Allowed remote IP's: any

 

Cameras are accessed my multiple people who are remote and travel a lot, specifying IP's is not practical and they are against VPN to do this because some are note domain users.

 

My questions are around Public port. With it like this, isn't it a rather large security risk allowing anything going to the public IP on almost any port straight through the firewall? And wouldn't it be directing all the traffic from outside directly to the camera?

0 Kudos
1 Accepted Solution
WadeAlsup
A model citizen
‎Jul 19 2018 9:46 AM
‎Jul 19 2018 9:46 AM

Hi @TimBisel

 

I would agree that this wouldn't be my ideal setup, albeit I'm sure it gets the job done...

 

Do they need access to each individual camera externally? Or are they only accessing an NVR that all of the cameras are connected to? If it's the latter, you should only have to specify a single IP for the NVR. You would also want to identify what public port needs to be opened and narrow the exposure to that device. Probably could be found in the configuration of the NVR. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

View solution in original post

4 Replies 4
WadeAlsup
A model citizen
‎Jul 19 2018 9:46 AM
‎Jul 19 2018 9:46 AM

Hi @TimBisel

 

I would agree that this wouldn't be my ideal setup, albeit I'm sure it gets the job done...

 

Do they need access to each individual camera externally? Or are they only accessing an NVR that all of the cameras are connected to? If it's the latter, you should only have to specify a single IP for the NVR. You would also want to identify what public port needs to be opened and narrow the exposure to that device. Probably could be found in the configuration of the NVR. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
In response to WadeAlsup
Adam
Kind of a big deal
‎Jul 19 2018 10:23 AM
‎Jul 19 2018 10:23 AM

At that point you'd be better to do a 1:1 NAT and only let port 80 through.  But if they'd need to NAT any of those other ports to something else it'd be a waste.  Seems lazy to me.  Would be far more secure to only map through the ports it needs.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
TimBisel
Getting noticed
‎Jul 19 2018 11:41 AM
‎Jul 19 2018 11:41 AM

Thanks guys I am new at company and still need to build the trust in. Was able to convince him to let me trim it down to the one needed port. It connects back to a server so I was able to do it with just one port.

In response to TimBisel
Adam
Kind of a big deal
‎Jul 19 2018 1:16 PM
‎Jul 19 2018 1:16 PM

@TimBisel wrote:

Thanks guys I am new at company and still need to build the trust in. Was able to convince him to let me trim it down to the one needed port. It connects back to a server so I was able to do it with just one port.

Nice work, you've done your security deed for the day. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.