Hi John,

The "wan" address for the Lynkssy is the 172.X.X.X address specified in the nat translation rule listed above.

Both devices are technically natting:

ISP Provided Address > Cisco Router (private network is 172.X.X.X) > Linksys Router (172.X.X.X WAN address, 192.X.X.X LAN address for camera).

Thanks!

Can you ping the internal cameras from the Cisco? Here's what I would do. Disable nat, if possible, on the Linksys. Put a static route in the Cisco pointing the 192.x.x.x subnet to the Linksys wan interface. After you do this, you should be able to change your router to nat the 192.x.x.x address instead of the 172.x.x.x address and having to manage two different devices.

HTH,
John

*** Please rate all useful posts ***

I cannot. I added a static route on the 881:

ip route 192.168.1.0 255.255.255.0 172.20.16.1

No reponse when I attempt to ping from the router.

So, your Linksys wan address is 172.20.16.1 and the Linksys lan is 192.168.1.0/24. Are you saying that you cannot disable nat on the linksys?

HTH,
John

*** Please rate all useful posts ***

The Linksys router is not my company's so I do not have access to it's set up. When you say disable nat, are you referring to turning off DHCP on the Linksys and passing that function onto the 881?

No, dhcp can stay on the Linksys, but you need to disable nat on it. So, let's go back to the original problem. From what I understand you have a public address on the Cisco router wan interface, and a 172.20.x.x address on the lan side, and it's configured for nat. The Linksys has a 172.20.x.x address on the wan side, and 192.168.x.x address on the lan side. The cameras are on the 192.168.x.x subnet. They were originally, and probably still are, natted to a 172.20.x.x address before you put the Cisco router in, or were they natted to a public address that the Linksys had? Technically, when the request comes into the Dialer interface to connect to the camera, you're going to forward that request to the Linksys wan interface (unless you have other addresses associated to the camera). The Linksys should see the traffic on the wan side coming in on 3417 and 3418. The camera will get the traffic after the Linksys forwards it to the camera. The camera's default gateway should be configured for the Linksys router and has no idea of it's wan address.

Can you post the rest of the Cisco config? The dialer interface, lan/vlan interface, and the acls for the nat configuration?

The easiest thing to do is disable nat on the Linksys. Can you have the person that owns it get you into it?

Your assesment is correct. Previously, they were natted to a public address that the Linksys had. Now it is natting to a 172.20.X.X address which in turn is natted to the public IP. I can work with them to turn off natting.

Here is the pertinent information in the config:

interface Tunnel0

ip address X.X.X.X 255.255.255.0

ip access-group 110 out

no ip redirects

ip mtu 1400

ip flow ingress

ip flow egress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 211

ip nhrp holdtime 360

ip nhrp nhs X.X.X.X

ip nhrp registration no-unique

ip tcp adjust-mss 1360

delay 1000

tunnel source Dialer10

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile SDM_Profile1 shared

!

interface Tunnel1

ip address X.X.X.X 255.255.255.0

ip access-group 110 out

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 212

ip nhrp holdtime 360

ip nhrp nhs X.X.X.X

ip nhrp registration no-unique

ip tcp adjust-mss 1360

delay 2000

tunnel source Dialer10

tunnel mode gre multipoint

tunnel key 200000

tunnel protection ipsec profile SDM_Profile1 shared

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

description DMZ for Home Internet Access

switchport access vlan 172

no ip address

!

interface FastEthernet4

description External Internet Connection

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 10

!

interface Vlan1

ip address X.X.X.X 255.255.255.0

ip access-group 121 in

ip nat inside

ip virtual-reassembly in

!

interface Vlan172

ip address 172.20.16.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer10

bandwidth 100000

ip address negotiated

ip access-group 120 in

ip mtu 1492

ip flow ingress

ip flow egress

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1360

dialer pool 10

dialer-group 10

ppp authentication pap chap callin

ppp chap hostname XXXX

ppp chap password 0 XXXX

ppp pap sent-username XXXX

no cdp enable

hold-queue 224 in

exit

!

ip nat inside source list 20 interface Dialer10 overload

ip nat inside source list 30 interface Dialer10 overload

ip nat inside source static tcp 172.20.16.1 3417 interface Dialer10 3417

ip nat inside source static tcp 172.20.16.1 3418 interface Dialer10 3418

Are you allowing 3417 and 3418 through your 120 acl?

HTH,
John

*** Please rate all useful posts ***

Yes I am. I even tried it with the acl removed. No such luck.

Hmm..what about telnetting to that port from the Cisco router. Try from the cisco "telnet 172.20.16.1 3417". If it times out, there's something going on with the Linksys. If it states that it's open, then try removing the acl and the cbac configuration (ip inspect) from the interface of the dialer.

HTH,
John

*** Please rate all useful posts ***

Hi John,

No go on the telnetting. I had my colleague connect her camera directly to a port on the 172 network, I changed the ip nat statements to reflect the new 172 address and we were still unsuccessful. Could it be something on the cbac configuration on the dialer interface that is preventing this from working?

Hi,

 However, when tries to connect to her public IP using the assigned port numbers, it fails.

From where is she doing this? if this is from the inside then it is normal behaviour as Cisco routers don't do nat hairpinning with regular NAT but they do with NVI NAT( ip nat enable command under interface instead of ip nat inside and ip nat outside AND ip nat source instead of ip nat inside source).

Regards

Alain

Don't forget to rate helpful posts.

For troubleshooting, you could remove the acl and the cbac config. If the camera was working properly, you should have been able to leave the camera on the 192.x.x.x subnet and telnet to the 172.x.x.x address that's on the Linksys interface on that port and get a response. I doubt your cbac config is blocking that because it would be going out of your other interface. By chance, have you rebooted the Linksys after making your address changes from public to private? I'm wondering if the Linksys is somehow thinking that the camera's address is still tied to a public address on the Linksys even though you changed it to a private.

HTH,
John

*** Please rate all useful posts ***