Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
10
Helpful
6
Replies

Cisco 1921 port forwarding is not working

Sunghwan Yoo
Level 1
Level 1

‎01-31-2016 08:13 PM - edited ‎03-05-2019 03:14 AM

Hi all

I have a DVR inside my company its IP address is 192.168.0.50 and port number is 2000

I want outside Internet users to access DVR, How is it possible?

Please have a look at the running configuration. DVR is working inside the company but not at outside.

I've tried a lot of method to connect port forwarding as below

-ip nat inside source static tcp 192.168.0.50 2000 interface Dialer 1 2000,

-ip nat inside source static tcp 192.168.0.50 2000 interface <public IP add> 2000 extend,

-ip nat inside source static tcp 192.168.0.50 2000 interface <public IP add> 2000  route-map SDM_RMAP_1,

-ip nat inside source static tcp 192.168.0.50 2000 interface <public IP add> 2000  route-map SDM_RMAP_1 extend,

but not working.. 

and I used 'Open port check tool', it showed that 2000 port is opened

also I can access http://192.168.0.50:2000 but I can't access http://<public IP add>:2000 

how to solve this problem?

Thank you.

Building configuration...

Current configuration : 6474 bytes
!
! Last configuration change at 13:57:32 Sydney Mon Feb 1 2016 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname Cleansurance
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
enable secret 5 $1$rpXG$B9RnDGl3ItGrN4NvSd7871
!
no aaa new-model
!
clock timezone Sydney 10 0
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.100 192.168.0.255
ip dhcp excluded-address 192.168.0.50
ip dhcp excluded-address 192.168.0.192
ip dhcp excluded-address 192.168.0.193
ip dhcp excluded-address 192.168.0.120
!
ip dhcp pool InternalIP
network 192.168.0.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.0.1
!
!
no ip domain lookup
ip name-server 139.130.4.4
ip name-server 203.50.2.71
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-920416775
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-920416775
revocation-check none
rsakeypair TP-self-signed-920416775
!
!
crypto pki certificate chain TP-self-signed-920416775
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39323034 31363737 35301E17 0D313531 31323330 36333432
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3932 30343136
37373530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9F6F8F46 DB0A60C4 438A205A 26CBC304 5D919CC0 00E82DBD 59247EB6 9919EC48
8CC5217F A4B1679D 50D75B39 468465A1 C7A75F04 D7A9ADCA C4A2BB9E CF7B1595
14EAFF26 B5428ABA D8626F99 65D31C05 BF7A0246 7EDFE628 9E00715A 108B229B
25446FE1 6596D84A 06B3DE98 03DA2D58 C82D4A3C 8C44FBD6 9C7E1B5D BC19520F
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 1680147C 8ED2D09D 88232678 11AC956B 75B2EB51 50F6D530 1D060355
1D0E0416 04147C8E D2D09D88 23267811 AC956B75 B2EB5150 F6D5300D 06092A86
4886F70D 01010505 00038181 002D6E4B D910EA43 9208201E 173E2201 8EDDEC0B
4CFCC74B B9987E38 B32AFA6C FC7773C5 0145DBA7 F8E7AD58 51F08231 E982A7B4
60322254 3329A263 0154DF87 39832882 495C9879 5802271E 75A7892A 2DFFEE3D
64271E7E B752E72B D3D5B39A F7CDF65A FE22684E EA021177 D2C92654 77E0C328
A1377B18 16A62CA0 EB4D81B1 DD
quit
license udi pid CISCO1921/K9 sn FCZ1606C2QW
!
!
username admin privilege 15 secret 5 $1$zKOB$l6yMFquiV3FVkugQ0Mxgp1
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key passxxx address 101.187.xxx.xxx
crypto isakmp key passxxx address 120.150.xxx.xxx
crypto isakmp key passxxx address 120.151.xxx.xxx
!
!
crypto ipsec transform-set cleansurance esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to101.187.xxx.xxx
set peer 101.187.xxx.xxx
set transform-set cleansurance
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to120.150.xxx.xxx
set peer 120.150.xxxxxx
set transform-set cleansurance
match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to120.151.xxx.xxx
set peer 120.151.xxx.xxx
set transform-set cleansurance
match address 103
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description DSL interface$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
description Internal Interface$ETH-LAN$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
!
interface Dialer1
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx@direct.telstra.net
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxx@direct.telstra.net password 0 xxxxxx
ppp ipcp route default
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 192.168.0.50 2000 interface Dialer1 2000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
!
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
password xxxxxx
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 150.101.221.106
ntp server 27.50.91.108
end

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-01-2016 04:31 AM

"ip nat inside source static tcp 192.168.0.50 2000 interface Dialer1 2000" is correct.

Check the default route configured on the DVR, and the subnet mask.

Check that the DVR is responding on port 2000 internally.

0 Helpful

Sunghwan Yoo
Level 1
Level 1
In response to Philip D'Ath

‎02-01-2016 02:25 PM

Thank you for your reply

I attached my DVR configuration.

I think everything is correct 

could you check my attached image?

Preview file
55 KB

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Sunghwan Yoo

‎02-01-2016 02:32 PM

That configuration looks correct to me.  Are you sure you don't need to open port 80 as well?

0 Helpful

Sunghwan Yoo
Level 1
Level 1
In response to Philip D'Ath

‎02-01-2016 02:39 PM

yes

I don't need to open port 80

I can access http://192.168.0.50:2000 but I can't access http://<public IP add>:2000 in my office.

 

Do I have to configure "Group in/out" on interface?

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Sunghwan Yoo

‎02-01-2016 02:42 PM

Aha!  It wont work from inside of your office.  It will only work from outside of your office.

NAT only takes affect as traffic goes from the outside interface to the inside interface (in this case at least).  When you are sitting in your office the traffic will not flow in this direction.

Sunghwan Yoo
Level 1
Level 1
In response to Philip D'Ath

‎02-01-2016 03:55 PM

But, I've tried it from outside of my office

when I access to DVR by my mobile device from outside of my office,

"show ip nat translation" result is as below

#sh ip nat tr | inc 192.168.0.50

udp 1x.x.x.x:1026 192.168.0.50:1026 61.250.157.14:2400 61.250.157.14:2400

udp 1x.x.x.:1026 192.168.0.50:1026 203.47.124.141:2400 203.47.124.141:2400

tcp 1x.x.x.x:2000 192.168.0.50:2000 49.195.15.155:3447 49.195.15.155:3447

tcp 1x.x.x.x:2000 192.168.0.50:2000 --- ---

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card