10-31-2013 09:21 AM - edited 03-04-2019 09:28 PM
Hello,
I'm having an issue with a home office employee who we set up with a Cisco 881. Before we installed their 881, she had Foscam cameras at her house connecting to her ISP provided wireless router. The cameras connect wirelessly and she set up port forwarding on the wireless router to access them while outside of her network.
Her new setup is like this:
CISCO 881 > LINKSYS E2500 > Foscam Cameras
She has port forwarding set up on the Linksys E2500 and can access the cameras while on her wireless network. However, when tries to connect to her public IP using the assigned port numbers, it fails.
I have added the following NAT statements to the Cisco router:
ip nat inside source static tcp 172.X.X.X 3417 interface Dialer 10 3417
ip nat inside source static tcp 172.X.X.X 3418 interface Dialer 10 3418
I figured since the cameras are connected to the wireless network, I would need to create the statement to port forward to the wireless router (the 172.X.X.X address). However, this is not working. What am I missing to make this work?
Thanks!
10-31-2013 10:02 AM
What is the "wan" side address for the Linksys? That's the address that you should be forwarding to...
Which device is natting: Cisco or Linksys?
HTH,
John
*** Please rate all useful posts ***
10-31-2013 10:29 AM
Hi John,
The "wan" address for the Lynkssy is the 172.X.X.X address specified in the nat translation rule listed above.
Both devices are technically natting:
ISP Provided Address > Cisco Router (private network is 172.X.X.X) > Linksys Router (172.X.X.X WAN address, 192.X.X.X LAN address for camera).
Thanks!
10-31-2013 12:12 PM
Can you ping the internal cameras from the Cisco? Here's what I would do. Disable nat, if possible, on the Linksys. Put a static route in the Cisco pointing the 192.x.x.x subnet to the Linksys wan interface. After you do this, you should be able to change your router to nat the 192.x.x.x address instead of the 172.x.x.x address and having to manage two different devices.
HTH,
John
*** Please rate all useful posts ***
10-31-2013 02:04 PM
I cannot. I added a static route on the 881:
ip route 192.168.1.0 255.255.255.0 172.20.16.1
No reponse when I attempt to ping from the router.
10-31-2013 02:08 PM
So, your Linksys wan address is 172.20.16.1 and the Linksys lan is 192.168.1.0/24. Are you saying that you cannot disable nat on the linksys?
HTH,
John
*** Please rate all useful posts ***
10-31-2013 02:15 PM
The Linksys router is not my company's so I do not have access to it's set up. When you say disable nat, are you referring to turning off DHCP on the Linksys and passing that function onto the 881?
10-31-2013 02:28 PM
No, dhcp can stay on the Linksys, but you need to disable nat on it. So, let's go back to the original problem. From what I understand you have a public address on the Cisco router wan interface, and a 172.20.x.x address on the lan side, and it's configured for nat. The Linksys has a 172.20.x.x address on the wan side, and 192.168.x.x address on the lan side. The cameras are on the 192.168.x.x subnet. They were originally, and probably still are, natted to a 172.20.x.x address before you put the Cisco router in, or were they natted to a public address that the Linksys had? Technically, when the request comes into the Dialer interface to connect to the camera, you're going to forward that request to the Linksys wan interface (unless you have other addresses associated to the camera). The Linksys should see the traffic on the wan side coming in on 3417 and 3418. The camera will get the traffic after the Linksys forwards it to the camera. The camera's default gateway should be configured for the Linksys router and has no idea of it's wan address.
Can you post the rest of the Cisco config? The dialer interface, lan/vlan interface, and the acls for the nat configuration?
The easiest thing to do is disable nat on the Linksys. Can you have the person that owns it get you into it?
10-31-2013 03:42 PM
Your assesment is correct. Previously, they were natted to a public address that the Linksys had. Now it is natting to a 172.20.X.X address which in turn is natted to the public IP. I can work with them to turn off natting.
Here is the pertinent information in the config:
interface Tunnel0
ip address X.X.X.X 255.255.255.0
ip access-group 110 out
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip nhrp authentication DMVPN_NW
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 211
ip nhrp holdtime 360
ip nhrp nhs X.X.X.X
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer10
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1 shared
!
interface Tunnel1
ip address X.X.X.X 255.255.255.0
ip access-group 110 out
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 212
ip nhrp holdtime 360
ip nhrp nhs X.X.X.X
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 2000
tunnel source Dialer10
tunnel mode gre multipoint
tunnel key 200000
tunnel protection ipsec profile SDM_Profile1 shared
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
description DMZ for Home Internet Access
switchport access vlan 172
no ip address
!
interface FastEthernet4
description External Internet Connection
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 10
!
interface Vlan1
ip address X.X.X.X 255.255.255.0
ip access-group 121 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan172
ip address 172.20.16.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer10
bandwidth 100000
ip address negotiated
ip access-group 120 in
ip mtu 1492
ip flow ingress
ip flow egress
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 10
dialer-group 10
ppp authentication pap chap callin
ppp chap hostname XXXX
ppp chap password 0 XXXX
ppp pap sent-username XXXX
no cdp enable
hold-queue 224 in
exit
!
ip nat inside source list 20 interface Dialer10 overload
ip nat inside source list 30 interface Dialer10 overload
ip nat inside source static tcp 172.20.16.1 3417 interface Dialer10 3417
ip nat inside source static tcp 172.20.16.1 3418 interface Dialer10 3418
10-31-2013 04:31 PM
Are you allowing 3417 and 3418 through your 120 acl?
HTH,
John
*** Please rate all useful posts ***
10-31-2013 04:43 PM
Yes I am. I even tried it with the acl removed. No such luck.
10-31-2013 04:47 PM
Hmm..what about telnetting to that port from the Cisco router. Try from the cisco "telnet 172.20.16.1 3417". If it times out, there's something going on with the Linksys. If it states that it's open, then try removing the acl and the cbac configuration (ip inspect) from the interface of the dialer.
HTH,
John
*** Please rate all useful posts ***
11-01-2013 01:25 PM
Hi John,
No go on the telnetting. I had my colleague connect her camera directly to a port on the 172 network, I changed the ip nat statements to reflect the new 172 address and we were still unsuccessful. Could it be something on the cbac configuration on the dialer interface that is preventing this from working?
11-01-2013 01:38 PM
Hi,
However, when tries to connect to her public IP using the assigned port numbers, it fails.
From where is she doing this? if this is from the inside then it is normal behaviour as Cisco routers don't do nat hairpinning with regular NAT but they do with NVI NAT( ip nat enable command under interface instead of ip nat inside and ip nat outside AND ip nat source instead of ip nat inside source).
Regards
Alain
Don't forget to rate helpful posts.
11-01-2013 01:59 PM
For troubleshooting, you could remove the acl and the cbac config. If the camera was working properly, you should have been able to leave the camera on the 192.x.x.x subnet and telnet to the 172.x.x.x address that's on the Linksys interface on that port and get a response. I doubt your cbac config is blocking that because it would be going out of your other interface. By chance, have you rebooted the Linksys after making your address changes from public to private? I'm wondering if the Linksys is somehow thinking that the camera's address is still tied to a public address on the Linksys even though you changed it to a private.
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide