01-31-2016 09:02 PM - edited 03-05-2019 03:14 AM
Hi all
I have a DVR inside my company its IP address is 192.168.0.50 and port number is 2000
I want outside Internet users to access DVR, How is it possible?
Please have a look at the running configuration. DVR is working inside the company but not at outside.
I've tried a lot of method to connect port forwarding as below
-ip nat inside source static tcp 192.168.0.50 2000 interface Dialer 1 2000,
-ip nat inside source static tcp 192.168.0.50 2000 interface <public IP add> 2000 extend,
-ip nat inside source static tcp 192.168.0.50 2000 interface <public IP add> 2000 route-map SDM_RMAP_1,
-ip nat inside source static tcp 192.168.0.50 2000 interface <public IP add> 2000 route-map SDM_RMAP_1 extend,
but not working..
and I used 'Open port check tool', it showed that 2000 port is opened
also I can access http://192.168.0.50:2000 but I can't access http://<public IP add>:2000
how to solve this problem?
Thank you.
Building configuration...
Current configuration : 6474 bytes
!
! Last configuration change at 13:57:32 Sydney Mon Feb 1 2016 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname Cleansurance
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000
enable secret 5 $1$rpXG$B9RnDGl3ItGrN4NvSd7871
!
no aaa new-model
!
clock timezone Sydney 10 0
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.100 192.168.0.255
ip dhcp excluded-address 192.168.0.50
ip dhcp excluded-address 192.168.0.192
ip dhcp excluded-address 192.168.0.193
ip dhcp excluded-address 192.168.0.120
!
ip dhcp pool InternalIP
network 192.168.0.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.0.1
!
!
no ip domain lookup
ip name-server 139.130.4.4
ip name-server 203.50.2.71
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-920416775
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-920416775
revocation-check none
rsakeypair TP-self-signed-920416775
!
!
crypto pki certificate chain TP-self-signed-920416775
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39323034 31363737 35301E17 0D313531 31323330 36333432
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3932 30343136
37373530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9F6F8F46 DB0A60C4 438A205A 26CBC304 5D919CC0 00E82DBD 59247EB6 9919EC48
8CC5217F A4B1679D 50D75B39 468465A1 C7A75F04 D7A9ADCA C4A2BB9E CF7B1595
14EAFF26 B5428ABA D8626F99 65D31C05 BF7A0246 7EDFE628 9E00715A 108B229B
25446FE1 6596D84A 06B3DE98 03DA2D58 C82D4A3C 8C44FBD6 9C7E1B5D BC19520F
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 1680147C 8ED2D09D 88232678 11AC956B 75B2EB51 50F6D530 1D060355
1D0E0416 04147C8E D2D09D88 23267811 AC956B75 B2EB5150 F6D5300D 06092A86
4886F70D 01010505 00038181 002D6E4B D910EA43 9208201E 173E2201 8EDDEC0B
4CFCC74B B9987E38 B32AFA6C FC7773C5 0145DBA7 F8E7AD58 51F08231 E982A7B4
60322254 3329A263 0154DF87 39832882 495C9879 5802271E 75A7892A 2DFFEE3D
64271E7E B752E72B D3D5B39A F7CDF65A FE22684E EA021177 D2C92654 77E0C328
A1377B18 16A62CA0 EB4D81B1 DD
quit
license udi pid CISCO1921/K9 sn FCZ1606C2QW
!
!
username admin privilege 15 secret 5 $1$zKOB$l6yMFquiV3FVkugQ0Mxgp1
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key passxxx address 101.187.xxx.xxx
crypto isakmp key passxxx address 120.150.xxx.xxx
crypto isakmp key passxxx address 120.151.xxx.xxx
!
!
crypto ipsec transform-set cleansurance esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to101.187.xxx.xxx
set peer 101.187.xxx.xxx
set transform-set cleansurance
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to120.150.xxx.xxx
set peer 120.150.xxxxxx
set transform-set cleansurance
match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to120.151.xxx.xxx
set peer 120.151.xxx.xxx
set transform-set cleansurance
match address 103
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description DSL interface$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
description Internal Interface$ETH-LAN$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
!
interface Dialer1
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx@direct.telstra.net
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxx@direct.telstra.net password 0 xxxxxx
ppp ipcp route default
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 192.168.0.50 2000 interface Dialer1 2000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
!
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
password xxxxxx
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 150.101.221.106
ntp server 27.50.91.108
end
01-31-2016 11:41 PM
Hello, Sunghwan Yoo.
Could you try "ip nat inside source static tcp 192.168.0.50 2000 [EXT IP] 2000" (instead of interface).
And can you show output of "show ip nat translations"?
Best Regards.
02-01-2016 02:17 PM
thanks for reply
I tried to change static NAT like "ip nat inside source static tcp 192.168.0.50 2000 [EXT IP] 2000"
and "show ip nat translation" result is as below
Pro Inside global Inside local Outside local Outside global
tcp 120.xxx.xxx.xxx:57664 192.168.0.4:57664 179.60.193.2:443 179.60.193.2:443
tcp 120.xxx.xxx.xxx:59434 192.168.0.4:59434 204.155.149.31:80 204.155.149.31:80
tcp 120.xxx.xxx.xxx:55243 192.168.0.12:55243 111.221.29.254:443 111.221.29.254:443
tcp 120.xxx.xxx.xxx:55247 192.168.0.12:55247 111.221.29.253:443 111.221.29.253:443
tcp 120.xxx.xxx.xxx:49790 192.168.0.14:49790 61.9.193.182:80 61.9.193.182:80
tcp 120.xxx.xxx.xxx:49796 192.168.0.14:49796 134.170.165.248:443 134.170.165.248:443
tcp 120.xxx.xxx.xxx:49808 192.168.0.14:49808 61.9.193.136:80 61.9.193.136:80
tcp 120.xxx.xxx.xxx:49823 192.168.0.14:49823 72.247.223.147:80 72.247.223.147:80
tcp 120.xxx.xxx.xxx:49834 192.168.0.14:49834 23.53.152.151:80 23.53.152.151:80
udp 120.xxx.xxx.xxx:59460 192.168.0.15:59460 157.56.106.189:3544 157.56.106.189:3544
tcp 120.xxx.xxx.xxx:64193 192.168.0.15:64193 111.221.29.146:443 111.221.29.146:443
tcp 120.xxx.xxx.xxx:2000 192.168.0.50:2000 107.20.89.142:52779 107.20.89.142:52779
tcp 120.xxx.xxx.xxx:2000 192.168.0.50:2000 --- ---
tcp 120.xxx.xxx.xxx:49990 192.168.0.111:49990 64.233.187.188:443 64.233.187.188:443
udp 120.xxx.xxx.xxx:51800 192.168.0.111:51800 216.58.199.74:443 216.58.199.74:443
02-01-2016 06:28 PM
Hello,
As far as I know, DVR listens to several ports. Client starts with port 2000(in your case) and then connects with other ports as well. Read your DVR manual for other ports or install Wireshark to check the connections(192.168.0.50) while your are connecting from inside .
Masoud
02-01-2016 07:04 PM
Hi,
I've checked other DVR port with wireshark, but it shows only 2000 port.
I cannot access to not only DVR but also other server from external network.
SAP server IP address is 192.168.0.192, and
I configured "ip nat inside source static tcp 192.168.0.192 3389 interface Dialer1 3389"
I cannot access to SAP server from outside through using remote desktop application.
02-01-2016 07:22 PM
192.168.0.1 is set as gateway on both of them? if yes, I do not see any other problem in your router configuration. I did not read your IPSEC configuration carefully. In down time, remove crypto map SDM_CMAP and then try to see whether IPsec causes this problem.
Masoud
02-01-2016 08:20 PM
Thank you for your reply
I configured gateway to 192.168.0.1 on both of them/
I've tried to remove crypto map SDM_CMAP_1 on Dialer 1 interface.
but still didn't find solution. what is problem?
02-01-2016 08:37 PM
It should work now if you configured gateway. Do you have internet on SAP?
Is it your complete configuration? any access-list on router?
Can you ping your sever from router with the source of you public IP?
router#>Ping 192.168.0.192 source [your public IP]. you should get reply.
02-01-2016 08:42 PM
gateway is correct, SAP server is connected to internet.
that is complete configuration, no more access-list on router.
and this is ping result
router#ping 192.168.0.192 source 1x.x.x.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.192, timeout is 2 seconds:
Packet sent with a source address of 1x.x.x.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
router#ping 192.168.0.50 source 1x.x.x.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.50, timeout is 2 seconds:
Packet sent with a source address of 1x.x.x.x
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
02-01-2016 08:58 PM
I do not see any problem in your configuration. NAT is correct. Routing is correct. You have already removed IPSEC. Just try everything one more time. The only thing comes to my mind is Upgrading your OS If you are not successful.
Make sure subnet mask of your inside devices is 255.255.255.0
Wait for a while for other's opinions as well.
Masoud
02-01-2016 09:18 PM
thank you for your reply
I will show you a network topology.
I used VPN router(TP-Link) on head office, every port forwarding was working well.
but I've change VPN router to Cisco 1921 router on only head office, I got a port forwarding problem..
when I try to access http://<public IP>:80, it shows Cisco router web configuration interface.
I will try it everything again
Thank you for helping me
02-01-2016 09:21 PM
I supposed you are trying to connect to SAP from internet, not through VPN( from your other sites). is that correct?
Just one thing. You need to lower your interface Dialer MTU if you have problem with some applications communicating through VPN since you have configured IPSEC. It is not related to your current problem.
Masoud
02-01-2016 09:35 PM
I just want to use port forwarding including DVR, RDP , connecting to SAP from internet as well. The main reason is to monitor DVR by mobile application from outside of office .
02-03-2016 03:02 AM
Hi, Sunghwan Yoo.
After connecting via a Dialer interface you have a static IP address or it is different for each time?
Also could you do a "show ip nat translation | i :2000" or "show ip nat translation | i :3389" at the time when you are try connecting to you services from outside?
And do you have ACL at you inside interface?
Best Regards.
02-03-2016 02:18 PM
Hi,
I have a static IP address which is provided from ISP
#sh ip nat tr | i :2000
tcp 1.x.x.x:2000 192.168.0.50:2000 49.195.151.164:42542 49.195.151.164:42542
tcp 1.x.x.x.:2000 192.168.0.50:2000 --- ---
and this is my ACL list. I think I don't have ACL at my inside interface
ip nat inside source static tcp 192.168.0.50 2000 interface Dialer1 2000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide