Okay, so I've managed to get DNS working internally. All of my clients now point to my router for DNS, which has one entry for one of my IP cams, then it forwards to public DNS servers.

I'm able to get that one record to work, the problem is that I can't add multiple records for the different ports. IE, 10.1.1.102:8092, 10.1.1.103:8093, ect.

Currently I have the record ip host ddns port 10.1.1.101, and this works. But when I go to add another record It overwrites the old record. 

So basically I can only access 1 ip cam with my ddns. Is there a solution for this?

Sean

Not sure I understand.

If you have multiple cameras then each one will need a different name and this would map to a different IP.

You can't use the same name for all your cameras because then DNS won't know which IP to send back for the query.

Jon

I guess I was hoping that you could do that with the port number. I've seen this mentioned multiple times elsewhere but I'll say it here too. It's funny that a 30 dollar router from any vendor doesn't have a problem with port-forwarding external or internal, whereas getting this capability with IOS is a pain.

Either way, having a hostname for each camera would defeat the purpose of port forwarding. Right now I have (1) ddns and I just pair it with a port number and externally I can reach all of my cams. But in order to use different hostnames for each camera I'd have to have two different configurations in our camera viewer. One for DDNS and one for internal DNS. I might as well just use the IP internally.

If this can't be done with IOS then my only hope is that I can resolve this with DNS rewrite on ASA. If not then I need another solution.

Hi Paul, thanks for the reply.

I don't have one specific inside interface, "ip nat inside" is configured on all of my virtual interface vlans.

I will remove the cbac when I get back to it, that's not a bad idea.

Also when you configure ip route 0.0.0.0 0.0.0.0 dhcp, it shows up with the dynamic ip in your running config. That's why it looks that way, it's not static.

I agree with Jon and Paul that if we could see more of the config that we might be better able to identify the issue. In the mean time my next suggestion is that you add statements in the access list to permit traffic to port 8090 and to make sure that the new statements go into the access list before the statement with deny ip any any.

I also agree with the suggestion to take the inspect out of the config until the other issues are resolved. 

It is an interesting question whether to spend money on Smartnet or on purchase of an ASA5505. If you have multiple virtual interface vlans and are doing intervlan routing I would be inclined to keep the router rather than replace it with ASA. The ASA is optimized for doing firewall and can route (but that is not optimized) while the router is optimized for routing and can do some fireballing (but that is not optimized). From the little that we know about your environment it looks like you need routing more than you need firewalling.

HTH

Rick

no aaa new-model
!
clock timezone EST -5 0
clock summer-time EST recurring 1 Mon Mar 0:00 1 Mon Oct 0:00
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1042258622
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1042258622
 revocation-check none
 rsakeypair TP-self-signed-1042258622
!
!
crypto pki certificate chain TP-self-signed-1042258622
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303432 32353836 3232301E 170D3134 30383234 31393332
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30343232
  35383632 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E2B2 2533A8B9 518DE4EC 138074EF 6A16B4F0 4B6C19B6 91C0E90A 846F6ABB
  81FBFE28 4C396CBC 7C74CB0D 225553D6 D289C25E BC8D13B3 2A4E14B2 36E40D19
  8C5B8E40 624F94FC 4C5770F8 984F3218 0FC94123 BF6291BF 714DE11E 32C60C22
  401821D5 E21C94A7 A5D78A7B ED39620B 363C486E 5C06C707 1A1FEF1F 70FE0450
  49BB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14AAAD14 38691F79 EF1E5FCD DA9240DA 73CEAE5E 11301D06
  03551D0E 04160414 AAAD1438 691F79EF 1E5FCDDA 9240DA73 CEAE5E11 300D0609
  2A864886 F70D0101 05050003 81810043 3C95E0A8 85F3402A E140D3C1 D64EC765
  38808AF5 BC260208 CC052991 5F748CD6 4E409201 34AD88E7 CE714065 90D608EF
  B55C691E 8E4CD18C 8652E887 91762DF1 EFEB5615 4D3C6B3C C7089688 E0F2E7B7
  AC1C46CD 51C0BD0B 7A7324A3 D47BAB78 C2FB93AC D0154468 C1384EF3 174B2740
  313B7C1A 9BEE1E4C 46410E92 4354DE
        quit
no ip source-route
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 10.1.4.1 10.1.4.10
ip dhcp excluded-address 10.1.3.1 10.1.3.10
ip dhcp excluded-address 10.1.1.100 10.1.1.106
!
ip dhcp pool cvo-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2
!
ip dhcp pool Wireless
 network 10.1.1.0 255.255.255.0
 default-router 10.1.1.1
 dns-server 4.2.2.6 208.67.222.220 8.8.8.8
 lease 0 6
!
ip dhcp pool Wired
 network 10.1.2.0 255.255.255.0
 default-router 10.1.2.1
 dns-server 4.2.2.6 208.67.222.220 8.8.8.8
!
ip dhcp pool Guest
 network 10.1.4.0 255.255.255.0
 default-router 10.1.4.1
 dns-server 4.2.2.6 208.67.222.220 8.8.8.8
!
ip dhcp pool Security
 network 10.1.3.0 255.255.255.0
 default-router 10.1.3.1
 dns-server 4.2.2.6 208.67.222.220 8.8.8.8
!
!
ip cef
no ip bootp server
ip domain name router.sfranklin.ddns.net
ip name-server 8.8.8.8
ip name-server 4.2.2.6
ip name-server 208.67.222.220
ip inspect log drop-pkt
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 kerberos
ip inspect name DEFAULT100 isakmp
ip inspect name DEFAULT100 bittorrent
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 dns
ip inspect name DEFAULT100 ipsec-msft
ip inspect name DEFAULT100 pptp
ip ddns update method no-ip
 HTTP
!
ip reflexive-list timeout 120
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
parameter-map type inspect global
 WAAS enable
 log dropped-packets enable
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn FTX1546805G
!
!
object-group network DNS
 host 8.8.8.8
 host 4.2.2.6
 host 208.67.222.220
!
object-group network NTP
 host 98.175.203.200
 host 206.246.122.250
!
username admin privilege 15 secret 5 $1$BmSn$Fj9vfdPiU4T9EpeJRpBwM.
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh version 2
!

!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 switchport mode trunk
 no ip address
 spanning-tree portfast
!
interface FastEthernet5
 no ip address
 spanning-tree portfast
!
interface FastEthernet6
 no ip address
 spanning-tree portfast
!
interface FastEthernet7
 no ip address
 spanning-tree portfast
!
interface FastEthernet8
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
!

interface GigabitEthernet0
 description Access to the Internet via this interface
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 description $FW_INSIDE$
 ip address 10.1.2.1 255.255.255.0
 ip helper-address 10.1.1.1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly in
!
interface Vlan4
 description Guest VLAN$FW_INSIDE$
 ip address 10.1.4.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
interface GMPLS0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no fair-queue
 no keepalive
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source static tcp 10.1.1.101 8091 interface GigabitEthernet0 8091
ip nat inside source static udp 10.1.1.101 8091 interface GigabitEthernet0 8091
ip route 0.0.0.0 0.0.0.0 72x254
ip route 0.0.0.0 0.0.0.0 72.x 254
!
ip access-list extended inboundfilters
 permit eigrp any any
 deny   icmp any any
 evaluate tcptraffic
ip access-list extended outboundfilters
 permit tcp any any reflect tcptraffic timeout 300
!
logging trap notifications
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 5 permit any log
access-list 23 permit 10.1.4.0 0.0.0.255
access-list 23 permit 10.1.0.0 0.0.255.255
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp object-group DNS any eq domain
access-list 101 permit udp object-group NTP any eq ntp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
access-list 101 permit ip any any log
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn ssh
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler interval 500
ntp server 98.175.203.200 prefer
ntp server 206.246.122.250
end