Solved: Re: 1921 Router config for Cameras

jkay18041 · ‎08-20-2018

I have a vendor who installed a camera system and assigned all the cameras and the NVR public IP addresses, needless to say it was hacked. I've purchased a 1921 router and am going to assign in the public IP and have it do NAT for the cameras and the NVR. Could someone please help me verify I've set it up right before I ship it.

I want to be able to access it remotely via ssh from 2 different places. an IP block of /26 and a single ip.

Also can you help me determine if I've setup NAT correctly and any other suggestions would be great.

I really appreciate the help.

Building configuration...

Current configuration : 1696 bytes
!
! Last configuration change at 13:49:47 UTC Mon Aug 20 2018
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Camera_Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
ip dhcp excluded-address 192.168.50.1 192.168.50.50
!
ip dhcp pool Cameras
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
lease 24
!
!
!
!
!
ip domain name slc1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX18
!
!
username cotton privilege 15 password 7 091D6
!
redundancy
!
!
!
!
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 11.203.126.3 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 11.203.126.59
!
ip access-list extended NAT
permit ip any any
ip access-list extended SSH_ACCESS
permit ip 11.211.219.64 0.0.0.63 any
permit ip host 11.203.126.100 any
deny ip any any
!
!
!
!
control-plane
!
!
no vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class SSH_ACCESS in
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎08-20-2018

Hello,

config looks good, the only thing I would change is the access list used for NAT:

Building configuration...

Current configuration : 1696 bytes
!
! Last configuration change at 13:49:47 UTC Mon Aug 20 2018
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Camera_Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
ip dhcp excluded-address 192.168.50.1 192.168.50.50
!
ip dhcp pool Cameras
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
lease 24
!
ip domain name slc1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO1921/K9 sn FTX18
!
username cotton privilege 15 password 7 091D6
!
redundancy
!
ip ssh version 2
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 11.203.126.3 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 11.203.126.59
!
ip access-list extended NAT
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended SSH_ACCESS
permit ip 11.211.219.64 0.0.0.63 any
permit ip host 11.203.126.100 any
deny ip any any
!
control-plane
!
no vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class SSH_ACCESS in
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

View solution in original post

Georg Pauwen · ‎08-20-2018

Hello,

config looks good, the only thing I would change is the access list used for NAT:

Building configuration...

Current configuration : 1696 bytes
!
! Last configuration change at 13:49:47 UTC Mon Aug 20 2018
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Camera_Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
ip dhcp excluded-address 192.168.50.1 192.168.50.50
!
ip dhcp pool Cameras
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
lease 24
!
ip domain name slc1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO1921/K9 sn FTX18
!
username cotton privilege 15 password 7 091D6
!
redundancy
!
ip ssh version 2
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 11.203.126.3 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 11.203.126.59
!
ip access-list extended NAT
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended SSH_ACCESS
permit ip 11.211.219.64 0.0.0.63 any
permit ip host 11.203.126.100 any
deny ip any any
!
control-plane
!
no vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class SSH_ACCESS in
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

jkay18041 · ‎08-20-2018

Great, thank you for the advice. I will get that changed.