Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
0
Helpful
1
Replies

Publishing a TCP port from a remote subnet to the internet in Cisco 877

Haitham Kassas
Level 1
Level 1

‎04-25-2012 09:44 AM - edited ‎03-04-2019 04:09 PM

Hello experts,

We have a cisco 877 router. The DSL interface has two working ATM interfaces, one is connecting to the internet using a dynamic IP, the other is connecting to six branches. The router is performing NAT on the internet interface. The internal IP address of the router is 192.168.0.1. Branch subnets are 192.168.x.0 where x is 1,2,3,4,5 and 6.


We have an IP camera in each branch which should be accessed from the internet, the IP addresses of cameras are 192.168.2.5, 192.168.3.5, 192.168.4.5 ...etc and they can be accesses using their webpages on port 80.


I want to publish the port 80 of 192.168.2.5 to the internet using port 9280, and port 80 of 192.168.3.5 to the internet using port 9380...etc, so internet user will be able to access the camera using these addresses:

http://ourdomain.dyndns.org:9280

http://ourdomain.dyndns.org:9380



Here is the running configuration of the router, I have tried to configure NAT as shown below, but it didn't work. It seems that I have missed some configuration. Currently server 192.168.0.2 which is in the head office is published well using ports 3389, 1723 and 443. But I am unable to access the camera http://192.168.2.5:80 from the outside using http://ourdomain.dyndns.org:9280


!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Bgibiz_Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxx

!

no aaa new-model

!

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool test

   network 192.168.0.0 255.255.255.0

   dns-server 195.226.228.72

   default-router 192.168.0.1

!

!

ip name-server 195.226.228.72

ip name-server 195.226.228.74

!

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

--More--                            description ***DATA***

ip address 172.16.1.2 255.255.255.252

pvc 8/80

  encapsulation aal5snap

!

!

interface ATM0.2 point-to-point

description ***Internet***

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.0.0 255.255.0.0 172.16.1.1

!

no ip http server

no ip http secure-server

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.2 3389 interface Dialer0 3389

ip nat inside source static tcp 192.168.0.2 1723 interface Dialer0 1723

ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443

ip nat inside source static tcp 192.168.2.5 80 interface Dialer0 9280 ## I have just added this

!

access-list 2 permit 192.168.0.0 0.0.0.255

!

!

--More--                           !

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

password xxxxxx

login

!

scheduler max-task-time 5000

end



Any help in configuring that?

Labels:
0 Helpful
1 Reply 1

Dennis Mink
VIP Alumni
VIP Alumni

‎04-25-2012 04:59 PM

Haitim,

your statement:

"ip nat inside source static tcp 192.168.2.5 80 interface Dialer0 9280 ## I have just added this"

seems correct; this translates all traffic sourcing from 192.168.2.5 hitting your router on port 80 into the Dialer0 ip address port 9280, so that is what you want.

to confirm this you can do 

show ip nat translation and run debug ip nat, while hitting the dialer on port 9280

that should at least confirm that NAT is doing what it is supposed to do.

Also have you verified routing, in other words, can you ping 192.168.2.5?  would the camera be routed back to the router that has provided the NAT?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card