Thanks for your response Rick.

That was one of the first things I checked since I've had issues with the ACL before with dns and ntp. I pinned those down with the deny log, which is still configured. I haven't gotten a single log message related to this connection. So I removed the acl entirely just to be sure and I still wasn't able to get through.

I got desperate last night after troubleshooting this all day and I brought up WireShark to see what was going on. I was getting a response from my public IP when I entered my ddns:port in the browser so I know that part of it is working. The response I was getting however was a connection reset, so something is happening on the router.

I tried debugging ip nat, and I didn't get anything related. Which makes sense since I haven't seen a single static connection in the sho ip nat statistics. I brought up ccp just for giggles to see if I configured static nat wrong. When I went to configure the port-forwarding it wouldn't issue the configs because it said that there were already identical configurations (my statics were right).

My only other idea is to debug all packets when I get home to see if I can get any feedback. Other than that I'm stumped.

Right now I'm debating between dropping 120 bucks on the SMARTnet so I can ask Cisco and upgrade the IOS, or spend that money on a asa 5505 and move the port forwarding to that. All of the discussions that I've seen on the internet with people having these problems are unresolved.

Sean

Have you removed all acls ?

Can you post your current configuration that you are working with ?

Jon

I'll post the full config when I get home. I have removed the ACLs entirely and it still didn't work. I did a debug of all tcp and basically I just saw what WireShark had been showing me. The syn and reply with a rst connection. I wasn't able to see anything else. Nothing comes up when I debug NAT because it looks like it's not making it that far.

The ACL is removed. It's still not working. I did a "debug ip tcp packet" and I'm getting the same thing that I got yesterday. The router is sending a RST immediately when I request. Since like I said I was getting no deny logs on my acl as I expected to get, and I'm getting no ip nat translations, I'm thinking that somehow it's not even making it that far. Here is the tcp debug.

001468: May  4 17:25:40.955 EST: tcp0: I LISTEN 10.1.1.54:50135 72.1x7:8091 seq 4241027909
001469: May  4 17:25:40.955 EST: TCP: sent RST to 10.1.1.54:50135 from 72.x.217:8091
001470: May  4 17:25:41.095 EST: tcp0: I LISTEN 10.1.1.54:50136 72.1x217:8091 seq 3260670412
001471: May  4 17:25:41.095 EST: TCP: sent RST to 10.1.1.54:50136 from 72.x.217:8091
001472: May  4 17:25:41.227 EST: tcp0: I LISTEN 10.1.1.54:50137 72.1x17:8091 seq 3302126319

Every discussion I've seen on this on the internet has ended unresolved, so I think that it's important to figure out what is going on here.

Thanks for providing additional information. I am curious about one aspect of the debug output. The source address that it shows is10.1.1.54. 

How is the source address of a packet being sent to an interface with a public IP have a source address in an unroutable network?

HTH

Rick

And not only is the source address of the packet arriving on the outside interface a private address but it falls into the subnet of vlan1. 

HTH

Rick

This is where I start to get a bit lost as NAT is not my strong point.

Ahah! I've made a revelation. Don't laugh but when I was testing on my phone as my "external test" it wasn't really external as I forgot it was connected via wifi. So really it was an internal test.

So when I disconnected the wifi it still didn't work BUT I got a deny log which is what I expected originally. I just need to edit the acl. So the real problem here is why can't internal users use the ddns to get to my cameras.

I think they're never being translated because if I do a traceroute to my ddns there is only one hop and that's my external address. So if it never really exits the interface can it come back in?

We have made progress. And it is another demonstration that the more information we have to work with the better we are able to identify issues impacting the desired result.

And it confirms that the basic issue seems to be related to the access list.

This is not an unusual problem when devices inside need to access a device which is also accessed from outside. The optimum solution is a DNS for inside which will resolve the server address to its inside/private address and is separate from the external DNS which resolves the server name to its public address.

HTH

Rick

Thanks for all of the help Rick. Now I'm definitely out of my wheelhouse.

I have 3 public dns servers configured on my dhcp scope. Is this as simple as configuring myself an internal DNS server with the static entry (on my nas or centOS server) and changing the order of my dns servers?

Sean

That is the simplest solution yes.

You can if you want try to have the internal clients connect to the public IP and then the router translate it back to the private IP but that really can be tricky to get working.

Generally with an internal DNS server you would only hand out it's IP to the clients and then on the DNS server itself you would configure the other public IP DNS servers as forwarders ie. if your internal DNS server doesn't have a record it forwards it on to the one of the public DNS servers.

Like I say it's that or trying to get NAT to allow public to private IP for your internal clients.

Jon

Thanks Jon,

I'd rather not make my NAT configuration more complex. I suppose what I could do in lieu of requiring my DNS server to be up 24/7 is configure the router to the be the dns server with the static entry then have it forward to the public DNS servers. Does that sound like a good solution?