Re:Port forwarding for DVR

Kerk Chze Perng · ‎08-26-2013

Hi all,

I am currently working on some DVR issue. The objective is to allow internet users to access DVR by port forwarding (using http://12.12.12.12:8888).

However, I am facing some issues

First of all, I tried with this below config. With this config, I was able to access the GUI of the DVR but unable to view the CCTV after I accessed the DVR.

=======================================

ip nat inside source static tcp 192.168.0.11 12.12.12.12 8888 extendable

=======================================

Then I read some forum and found some other ideas. Some peoples are suggesting to use route-map as we DVR requires some other ports to operate. With this config, I was able to view the CCTV with http://12.12.12.12:8888, but it doesn't seem to be a correct config.

This is because internet users can view the CCTV even without using the port number (http://12.12.12.12/). I tried to modify the access-list and I found out that the access-list is not functioning in this config. Even I permit nothing and use "deny ip any any", users can still view the CCTV.

=======================================

access-list 100 permit tcp 192.168.0.11 any

ip nat inside source static tcp 192.168.0.11 12.12.12.12 8888 extendable

ip nat inside source static 192.168.0.11 12.12.12.12 route-map DVR extendable

route-map DVR permit 10

match ip address 100

=======================================

Now, I am using other config as suggested by some other peoples in other forum. I can view the CCTV using http://12.12.12.12/ with this config, but no matter how I modify the access-list, I cannot prevent internet users from accessing the CCTV using http://12.12.12.12/.

Besides, I cannot access CCTV with the http://12.12.12.12:8888/. It seems like with this configuration, it will map the WAN ip address to the internal ip address with the same port we use in the http address, which means it will look for 192.168.0.11 port 8888 in this case.

=======================================

access-list 100 permit tcp any any

ip nat pool POOL1 192.168.0.11 192.168.0.11 netmask 255.255.255.0 type rotary

ip nat inside source destination list 100 pool POOL1

=======================================

Do you all have any idea to solve the problem ? Let's say the DVR needs port 554 and port 80 to function, do you all have any idea ?

Kerk Chze Perng · ‎08-26-2013

By the way, I am using Cisco 1720 router.

johnlloyd_13 · ‎08-27-2013

hi,

try static NAT below without any route map and ACL:

ip nat inside source static tcp 192.168.0.11 80 12.12.12.12 80

ip nat inside source static tcp 192.168.0.11 554 12.12.12.12 554

ip nat inside source static tcp 192.168.0.11 8888 12.12.12.12 8888

Kerk Chze Perng · ‎08-27-2013

Hi John,

Thanks for the reply. But this will still violate the objective as it will allow internet users to access the DVR via http://12.12.12.12/.

Regards,
Kerk

Mike Williams · ‎08-27-2013

Try this:

ip nat inside source static tcp 192.168.0.11 80 12.12.12.12 8888

It will forward traffic from internet facing port 8888 to internal port 80.

Regards,
Mike

Sent from Cisco Technical Support Android App

Kerk Chze Perng · ‎08-28-2013

Thannks Mike for your reply.

I tried this, I was able to reach the DVR login page, but unable to view the cctv after I logged in.

With route-map it is working, but I don't want http://12.12.12.12/ (port 80) to be accessible.

Any suggestion how should I modify my route-map or what configuration should I do ?

By the way, the access-list for the route-map doesn't seem working. Even with deny all statement, I can view the CCTV.

Mike Williams · ‎08-28-2013

Kerk,

The route map isn't, and should be used, to restrict access from specific hosts on the internet. That should be done via an access-list or zone-based firewall on your router.

That being said, the NAT statement I provided should work. The only caveat is that the DVR, upon loging in, might be requesting the CCTV feed via a different port. If that is the case, that port will need to be forwarded through the firewall as well.

The NAT statement I provided you will forward any traffic destined for port 8888 at IP address 12.12.12.12 to port 80 on IP 192.168.0.11. This will work exactly the same as forwarding port 80 straight through, except it uses a different public facing port. Just make sure any internet facing access lists are permitting traffic accordingly.

Regards,

Mike

Kerk Chze Perng · ‎08-28-2013

Thanks Mike again for your adivce.

According to the DVR description, RTSP (554) need to be enabled to view the cctv. But I tried with several ways, still not working. Is the configuration below correct ? Or any idea which other ports I need to enable to make the CCTV working ?

================================

ip nat inside source static tcp 192.168.0.11 80 12.12.12.12 8888

ip nat inside source static tcp 192.168.0.11 554 12.12.12.12 554

====================================

Mike Williams · ‎08-28-2013

RTSP uses both TCP and UDP. Try adding a port forward for udp port 554. It's the same syntax as tcp, just replace the tcp keyword with udp.

Regards,
Mike

Sent from Cisco Technical Support Android App

Kerk Chze Perng · ‎08-28-2013

Thanks Mike for your advice. But I tried before, not working....

I even tried with TCP and UDP port 8554 and 7070 as suggested by some other peoples in other forum.