08-26-2013 12:36 PM - edited 03-04-2019 08:52 PM
Hi all,
I am currently working on some DVR issue. The objective is to allow internet users to access DVR by port forwarding (using http://12.12.12.12:8888).
However, I am facing some issues
First of all, I tried with this below config. With this config, I was able to access the GUI of the DVR but unable to view the CCTV after I accessed the DVR.
=======================================
ip nat inside source static tcp 192.168.0.11 12.12.12.12 8888 extendable
=======================================
Then I read some forum and found some other ideas. Some peoples are suggesting to use route-map as we DVR requires some other ports to operate. With this config, I was able to view the CCTV with http://12.12.12.12:8888, but it doesn't seem to be a correct config.
This is because internet users can view the CCTV even without using the port number (http://12.12.12.12/). I tried to modify the access-list and I found out that the access-list is not functioning in this config. Even I permit nothing and use "deny ip any any", users can still view the CCTV.
=======================================
access-list 100 permit tcp 192.168.0.11 any
ip nat inside source static tcp 192.168.0.11 12.12.12.12 8888 extendable
ip nat inside source static 192.168.0.11 12.12.12.12 route-map DVR extendable
route-map DVR permit 10
match ip address 100
=======================================
Now, I am using other config as suggested by some other peoples in other forum. I can view the CCTV using http://12.12.12.12/ with this config, but no matter how I modify the access-list, I cannot prevent internet users from accessing the CCTV using http://12.12.12.12/.
Besides, I cannot access CCTV with the http://12.12.12.12:8888/. It seems like with this configuration, it will map the WAN ip address to the internal ip address with the same port we use in the http address, which means it will look for 192.168.0.11 port 8888 in this case.
=======================================
access-list 100 permit tcp any any
ip nat pool POOL1 192.168.0.11 192.168.0.11 netmask 255.255.255.0 type rotary
ip nat inside source destination list 100 pool POOL1
=======================================
Do you all have any idea to solve the problem ? Let's say the DVR needs port 554 and port 80 to function, do you all have any idea ?
08-26-2013 01:02 PM
By the way, I am using Cisco 1720 router.
08-27-2013 12:15 AM
hi,
try static NAT below without any route map and ACL:
ip nat inside source static tcp 192.168.0.11 80 12.12.12.12 80
ip nat inside source static tcp 192.168.0.11 554 12.12.12.12 554
ip nat inside source static tcp 192.168.0.11 8888 12.12.12.12 8888
08-27-2013 03:06 AM
Hi John,
Thanks for the reply. But this will still violate the objective as it will allow internet users to access the DVR via http://12.12.12.12/.
Regards,
Kerk
08-27-2013 10:25 PM
Try this:
ip nat inside source static tcp 192.168.0.11 80 12.12.12.12 8888
It will forward traffic from internet facing port 8888 to internal port 80.
Regards,
Mike
Sent from Cisco Technical Support Android App
08-28-2013 06:38 AM
Thannks Mike for your reply.
I tried this, I was able to reach the DVR login page, but unable to view the cctv after I logged in.
With route-map it is working, but I don't want http://12.12.12.12/ (port 80) to be accessible.
Any suggestion how should I modify my route-map or what configuration should I do ?
By the way, the access-list for the route-map doesn't seem working. Even with deny all statement, I can view the CCTV.
08-28-2013 10:23 AM
Kerk,
The route map isn't, and should be used, to restrict access from specific hosts on the internet. That should be done via an access-list or zone-based firewall on your router.
That being said, the NAT statement I provided should work. The only caveat is that the DVR, upon loging in, might be requesting the CCTV feed via a different port. If that is the case, that port will need to be forwarded through the firewall as well.
The NAT statement I provided you will forward any traffic destined for port 8888 at IP address 12.12.12.12 to port 80 on IP 192.168.0.11. This will work exactly the same as forwarding port 80 straight through, except it uses a different public facing port. Just make sure any internet facing access lists are permitting traffic accordingly.
Regards,
Mike
08-28-2013 04:11 PM
Thanks Mike again for your adivce.
According to the DVR description, RTSP (554) need to be enabled to view the cctv. But I tried with several ways, still not working. Is the configuration below correct ? Or any idea which other ports I need to enable to make the CCTV working ?
================================
ip nat inside source static tcp 192.168.0.11 80 12.12.12.12 8888
ip nat inside source static tcp 192.168.0.11 554 12.12.12.12 554
====================================
08-28-2013 04:57 PM
RTSP uses both TCP and UDP. Try adding a port forward for udp port 554. It's the same syntax as tcp, just replace the tcp keyword with udp.
Regards,
Mike
Sent from Cisco Technical Support Android App
08-28-2013 05:01 PM
Thanks Mike for your advice. But I tried before, not working....
I even tried with TCP and UDP port 8554 and 7070 as suggested by some other peoples in other forum.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide