Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setting Up NAT Port Forwarding on 881

Hello,

I'm having an issue with a home office employee who we set up with a Cisco 881. Before we installed their 881, she had Foscam cameras at her house connecting to her ISP provided wireless router. The cameras connect wirelessly and she set up port forwarding on the wireless router to access them while outside of her network.

Her new setup is like this:

CISCO 881 > LINKSYS E2500 > Foscam Cameras

She has port forwarding set up on the Linksys E2500 and can access the cameras while on her wireless network. However, when tries to connect to her public IP using the assigned port numbers, it fails.

I have added the following NAT statements to the Cisco router:

ip nat inside source static tcp 172.X.X.X 3417 interface Dialer 10 3417

ip nat inside source static tcp 172.X.X.X 3418 interface Dialer 10 3418

I figured since the cameras are connected to the wireless network, I would need to create the statement to port forward to the wireless router (the 172.X.X.X address). However, this is not working. What am I missing to make this work?

Thanks!

  • WAN Routing and Switching
15 REPLIES

Re: Setting Up NAT Port Forwarding on 881

What is the "wan" side address for the Linksys? That's the address that you should be forwarding to...

Which device is natting: Cisco or Linksys?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Setting Up NAT Port Forwarding on 881

Hi John,

The "wan" address for the Lynkssy is the 172.X.X.X address specified in the nat translation rule listed above.

Both devices are technically natting:

ISP Provided Address > Cisco Router (private network is 172.X.X.X) > Linksys Router (172.X.X.X WAN address, 192.X.X.X LAN address for camera).

Thanks!

Setting Up NAT Port Forwarding on 881

Can you ping the internal cameras from the Cisco? Here's what I would do. Disable nat, if possible, on the Linksys. Put a static route in the Cisco pointing the 192.x.x.x subnet to the Linksys wan interface. After you do this, you should be able to change your router to nat the 192.x.x.x address instead of the 172.x.x.x address and having to manage two different devices.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Setting Up NAT Port Forwarding on 881

I cannot. I added a static route on the 881:

ip route 192.168.1.0 255.255.255.0 172.20.16.1

No reponse when I attempt to ping from the router.

Setting Up NAT Port Forwarding on 881

So, your Linksys wan address is 172.20.16.1 and the Linksys lan is 192.168.1.0/24. Are you saying that you cannot disable nat on the linksys?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Setting Up NAT Port Forwarding on 881

The Linksys router is not my company's so I do not have access to it's set up. When you say disable nat, are you referring to turning off DHCP on the Linksys and passing that function onto the 881?

Setting Up NAT Port Forwarding on 881

No, dhcp can stay on the Linksys, but you need to disable nat on it. So, let's go back to the original problem. From what I understand you have a public address on the Cisco router wan interface, and a 172.20.x.x address on the lan side, and it's configured for nat. The Linksys has a 172.20.x.x address on the wan side, and 192.168.x.x address on the lan side. The cameras are on the 192.168.x.x subnet. They were originally, and probably still are, natted to a 172.20.x.x address before you put the Cisco router in, or were they natted to a public address that the Linksys had? Technically, when the request comes into the Dialer interface to connect to the camera, you're going to forward that request to the Linksys wan interface (unless you have other addresses associated to the camera). The Linksys should see the traffic on the wan side coming in on 3417 and 3418. The camera will get the traffic after the Linksys forwards it to the camera. The camera's default gateway should be configured for the Linksys router and has no idea of it's wan address.

Can you post the rest of the Cisco config? The dialer interface, lan/vlan interface, and the acls for the nat configuration?

The easiest thing to do is disable nat on the Linksys. Can you have the person that owns it get you into it?

HTH, John *** Please rate all useful posts ***
New Member

Setting Up NAT Port Forwarding on 881

Your assesment is correct. Previously, they were natted to a public address that the Linksys had. Now it is natting to a 172.20.X.X address which in turn is natted to the public IP. I can work with them to turn off natting.

Here is the pertinent information in the config:

interface Tunnel0

ip address X.X.X.X 255.255.255.0

ip access-group 110 out

no ip redirects

ip mtu 1400

ip flow ingress

ip flow egress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 211

ip nhrp holdtime 360

ip nhrp nhs X.X.X.X

ip nhrp registration no-unique

ip tcp adjust-mss 1360

delay 1000

tunnel source Dialer10

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile SDM_Profile1 shared

!

interface Tunnel1

ip address X.X.X.X 255.255.255.0

ip access-group 110 out

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 212

ip nhrp holdtime 360

ip nhrp nhs X.X.X.X

ip nhrp registration no-unique

ip tcp adjust-mss 1360

delay 2000

tunnel source Dialer10

tunnel mode gre multipoint

tunnel key 200000

tunnel protection ipsec profile SDM_Profile1 shared

!

interface FastEthernet0

no ip address

spanning-tree portfast

!

interface FastEthernet1

no ip address

spanning-tree portfast

!

interface FastEthernet2

no ip address

spanning-tree portfast

!

interface FastEthernet3

description DMZ for Home Internet Access

switchport access vlan 172

no ip address

!

interface FastEthernet4

description External Internet Connection

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 10

!

interface Vlan1

ip address X.X.X.X 255.255.255.0

ip access-group 121 in

ip nat inside

ip virtual-reassembly in

!

interface Vlan172

ip address 172.20.16.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer10

bandwidth 100000

ip address negotiated

ip access-group 120 in

ip mtu 1492

ip flow ingress

ip flow egress

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1360

dialer pool 10

dialer-group 10

ppp authentication pap chap callin

ppp chap hostname XXXX

ppp chap password 0 XXXX

ppp pap sent-username XXXX

no cdp enable

hold-queue 224 in

exit

!

ip nat inside source list 20 interface Dialer10 overload

ip nat inside source list 30 interface Dialer10 overload

ip nat inside source static tcp 172.20.16.1 3417 interface Dialer10 3417

ip nat inside source static tcp 172.20.16.1 3418 interface Dialer10 3418

Setting Up NAT Port Forwarding on 881

Are you allowing 3417 and 3418 through your 120 acl?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
798
Views
0
Helpful
15
Replies
This widget could not be displayed.