Solved: Why can't I connect to DVR over Internet?

Jon White · ‎01-18-2013

Can anyone recognize why I amy not be able to connect to a web enabled DVR (80) over the internet?

I can reach it on the LAN, and port 80 is enabled. DVR = 10.0.0.7

All other devices connect over the internet just fine.

Here a part of the config.

ip dhcp excluded-address 10.0.0.0 10.0.0.9
!
ip dhcp pool POOL
   network 10.0.0.0 255.255.255.0
   dns-server 4.2.2.2 8.8.8.8
   domain-name 10.0.0.1
   default-router 10.0.0.1
   lease 14
!
interface FastEthernet0/0
description Gateway Router to ISP Router
ip address <GLOBAL-CE-IP> <GLOBAL-MASK>

ip nat outside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description Uplink to Switch
ip address 10.0.0.1 255.255.255.0
ip nat inside
speed 100
full-duplex
!
router rip
network 10.0.0.0
!
ip nat inside source list 101 interface FastEthernet0/0 overload

! *** Access to DVR IP 10.0.0.7 ***
ip nat inside source static udp 10.0.0.7 80 <GLOBAL-CE-IP> 80 extendable
ip nat inside source static tcp 10.0.0.7 80 <GLOBAL-CE-IP> 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 <GLOBAL-PE-IP>
no ip http server
!
access-list 101 remark *** Local subet for NAT with the Fa0/0 ***
access-list 101 permit ip 10.0.0.0 0.0.0.255 any

!

cadet alain · ‎01-24-2013

Hi,

you don't need to apply an ACL to achieve this.

you just need ip nat inside source static tcp 10.0.0.7 80 x.x.x.x 80 where x.x.x.x is your public IP

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Jouni Forss · ‎01-18-2013

Hi,

Do you have the ACL attached to the router outside interface?

"ip access-group in"

Under the outside interface configuration

- Jouni

Jon White · ‎01-18-2013

I've tried creating another ACL and applied it to the outside int F0/0 and it didnt work.

I think it is because of the source list is set to overload.

Is there a better way to configure this?

Jon White · ‎01-24-2013

Are you saying, something like this to allow the following:

established connections from the inside

incomming www/80 to DVR 10.0.0.7

incomming telnet & ssh

2600 Router

interface FastEthernet0/0

description Gateway to ISP Router - OUTSIDE INTERFACE

ip address 24.X.X.X 255.255.255.252

ip nat outside

ip access-group 102 in

!

interface FastEthernet0/1

description Uplink to Switch - INSIDE INTERFACE

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip nat inside source list 101 interface FastEthernet0/0 overload

!

ip route 0.0.0.0 0.0.0.0 24.X.X.X

!

access-list 101 remark *** Local subet for NAT with the Fa0/0 ***

access-list 101 permit ip 10.0.0.0 0.255.255.255

!

access-list 102 remark *** Traffic Entering 10.0.0.0 Network ***

access-list 102 deny ip any any

access-list 102 permit tcp any 10.0.0.7 0.0.0.0 eq 80

access-list 102 permit udp any 10.0.0.7 0.0.0.0 eq 80

access-list 102 permit tcp 10.0.0.0 0.255.255.255 any eq telnet

access-list 102 permit tcp 10.0.0.0 0.255.255.255 any eq ssh

access-list 102 permit tcp 10.0.0.0 0.255.255.255 any eq established

!

end

cadet alain · ‎01-24-2013

Hi,

you don't need to apply an ACL to achieve this.

you just need ip nat inside source static tcp 10.0.0.7 80 x.x.x.x 80 where x.x.x.x is your public IP

Regards

Alain

Don't forget to rate helpful posts.

Jon White · ‎08-20-2014

Alain,

That worked great until the DVR was replaced with a new one. Where the Server port is 8000 and the web port is 80. It will no longer allow remote viewing, even with this config.

ip nat inside source static tcp 10.0.0.7 8000 x.x.x.x 80 extendable
ip nat inside source static udp 10.0.0.7 8000 x.x.x.x 80 extendable

Does that look right to you?