What is the IP address of

DOUGLAS DRURY · ‎01-12-2016

Hi,

I'm having a debate with a 3rd party, they've installed a new CCTV system with a remote app. The app logs in ok and you can see the list of camera's however, when you click on a camera the connection fails. Could someone have a look at the config to see if there is any problems there. I've removed passwords etc and changed some public IP to something random.

MM-RT-01#sh run br
Building configuration...

Current configuration : 4965 bytes
!
! Last configuration change at 16:03:19 UTC Tue Jan 12 2016 by tsadmin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MM-RT-01
!
boot-start-marker
boot-end-marker
!
!
enable secret <REMOVED>
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.25.1
!
ip dhcp pool GUEST
import all
network 192.168.25.0 255.255.255.0
default-router 192.168.25.1
dns-server 8.8.8.8
domain-name Morrison-Guest.local
lease 0 1
!
!
!
ip domain name <REMOVED>
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2775527347
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2775527347
revocation-check none
rsakeypair TP-self-signed-2775527347
!
!
crypto pki certificate chain TP-self-signed-2775527347
certificate self-signed 01
license udi pid CISCO1921/K9 sn FCZ1811C4C4
!
!
username <REMOVED>
username <REMOVED>
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
firmware filename flash:VA_A_39h_B_38h3_24h_j.bin
!
!
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNUSERS
key <REMOVED>
dns 192.168.20.201
domain <REMOVED>
pool VPN-POOL
acl VPNSPLIT
!
!
crypto ipsec transform-set MM esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
set transform-set MM
reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
description Inside
encapsulation dot1Q 20 native
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.25
description GUEST
encapsulation dot1Q 25
ip address 192.168.25.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
no ip address
shutdown
!
interface Dialer0
description ACTIVE
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname <REMOVED>
ppp chap password 0 <REMOVED>
crypto map MAP-OUTSIDE
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 192.168.20.58 1433 interface Dialer0 1433
ip nat inside source static tcp 192.168.20.58 18722 interface Dialer0 18722
ip nat inside source static tcp 192.168.20.58 80 interface Dialer0 80
ip nat inside source static tcp 192.168.20.58 443 interface Dialer0 443
ip nat inside source static tcp 192.168.20.58 445 interface Dialer0 445
ip nat inside source static udp 192.168.20.58 1434 interface Dialer0 1434
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 183.22.226.192 255.255.255.224 192.168.20.9
ip route 183.22.250.0 255.255.255.0 192.168.20.9
ip route 183.31.0.0 255.255.0.0 192.168.20.9
!
ip access-list extended NAT
deny ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
deny ip 192.168.25.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.25.0 0.0.0.255 any
permit ip 183.22.226.192 0.0.0.31 any
ip access-list extended VPNSPLIT
permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
banner login ^C
***************************************************************************

This Router is the property of <REMOVED>

Unauthorized access to this router is prohibited

This router is managed and supported by <REMOVED>

If you are not authorized you are obligated to disconnect now!

***************************************************************************
^C
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
end

MM-RT-01#

Masoud Pourshabanian · ‎01-12-2016

Hello,

I see crypto map MAP-OUTSIDE on your interface, but I do not see any command regarding that. Try to lower your MTU on the interface and test.

interface Dialer0

IP MTU 1360

ip tcp adjust-mss 1400

Test the commands and If the result is successful, you need to adjust the MTU to get the best throughput.

Masoud

DOUGLAS DRURY · ‎01-12-2016

Hi Masoud,

I tried your suggestion but it didn't work. Same result click on a camera in the list and you get connection failed.

Thanks

Doug

Masoud Pourshabanian · ‎01-12-2016

What is the IP address of camera? Are you trying to access the list through internet by public Ip?

DOUGLAS DRURY · ‎01-12-2016

I was asked by the 3rd party to open the below ports for this IP 192.168.20.58 That IP is where all the camera's connect into, NVR. The remote app in an iphone is pointed to the public IP. the App logs in ok to the NVR devise, i can see the list of available cameras but when you select a camera from the list you get connection failed.

1434 UDP

1433 TCP

18722 TCP

80 TCP

443 TCP

445 TCP

Thanks

Jon Marshall · ‎01-12-2016

Does the access to the camera go via the NVR ?

If so it sounds like you are simply not forwarding all the ports needed for it work.

It would help if you (or the vendor) could explain exactly what happens in terms of IPs etc. when you click on a camera in the list.

Jon

DOUGLAS DRURY · ‎01-12-2016

Yes, access is via the NVR. I think your right Jon there must be more ports they haven't told me about or the NVR isn't setup right.

I'll let you know what they say

Thanks

Doug

Masoud Pourshabanian · ‎01-12-2016

Or After clicking on each camera, it may use the direct IP of camera. Simply, install Wireshark and monitor which ports and which IP it is using if you do not get response from your provider.

https://www.wireshark.org/download.html

Masoud

Jon Marshall · ‎01-12-2016

Hi Masoud

That was my thought as well but if it does use the IP of the camera ie. goes direct then those camera's need to be translated to a public IP and if you only have one public IP you can only translate one camera because I assume the port number would be the same.

Let's hope it doesn't work that way.

Jon

Masoud Pourshabanian · ‎01-12-2016

Hello Jon.

Yes, you are right. As you said, it should not be that way. I am guessing by clicking the list, it is using the private IP address of the camera instead of public address of DVR, causing the problem. Of course the port is the main answer, or the problem is the IP address, there must a setting in the NVR to change that.

If it is using only one public address, more ports should be used to access each camera I think.

Masoud

Port forwarding issue