cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4954
Views
0
Helpful
15
Replies

Port forwarding & nat

boonwah.yeo
Level 1
Level 1

Hello guys, need some help, i am very green in Networking.

Please help me in this commands.

Currently we have 2 office, in India n Singapore, without any wan connection between this 2 office. This India office has installed some wireles cam (192.168.1.15), I want to monitor this wireless cam in Singapore office, and also at the same time open up 18 ports (9101 - 9119) for the 18 cams, (192.168.1.15:9101 - 9119).

from my understanding, i believe i will need to get 1 WAN IP address to translate to their 192.168.1.15:9101 - 9119? So that from Singapore office, I can access to their cam through the India WAN ip?

Please advice the command.

Below is the config

boot-start-marker

boot-end-marker

!

!

enable secret 4 06YFDUHH61wAE/kLkDq9BGho1QM5EnRtoyr8cHAUg.2

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp excluded-address 192.168.1.161 192.168.1.172

!

ip dhcp pool LAN

 import all

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.254

 dns-server 212.76.85.145 213.236.32.2

 lease 0 2

!

!

ip name-server 212.76.85.145

ip name-server 213.236.32.2

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1941/K9 sn FCZ162091HZ

!

!

username wael secret 4 n0V/y9uy56hzE90yiFc4hFTclRUtqGgKuR3D.Rw5PME

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 description Connected To POE - WAN

 ip address 172.21.5.90 255.255.255.248

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description LAN

 ip address 192.168.1.254 255.255.255.0 secondary

 ip address 213.236.56.233 255.255.255.248

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 172.21.5.89

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 4

 transport input all

!

scheduler allocate 20000 1000

end

Please advise the command to do this.

Best Regards

15 Replies 15

Abzal
Level 7
Level 7

Hi,

I believe you can setup static NAT for this situation:

access-list 101 permit  tcp host any range 9101 9119 any

route-map NAT permit 10

match ip add 101

ip nat inside source static x.x.x.x y.y.y.y  route-map NAT

Try this, let me know if it work for you.

Please rate helpful posts.

Best regards,
Abzal

Hi abzal, may I know for this command ip nat inside source static x.x.x.x y.y.y.y route-map NAT, which ip should I enter?

Sorry as I am really new to networking n also company.

Please advise.

Emmanuel Valdez
Level 3
Level 3

Hello Yeo,

In this case you can use a static NAT for each camera, the 18 cameras are IP or do you have a DVR conected to the every camera through Coaxial cable?

In this case I recommend you setup a site to site VPN if both places have static public ip address for securing all traffic.

Best regards.

Hi ef-Molina, currently our company still don't have this intention to go into site to site VPN yet. And your are correct, all 18 cameras are ip cameras, over there we are using a pc/server (192.168.1.15)  for the ip camera monitoring over at their site.

and for singapore, we are using vlc media player to access to (192.168.1.15:9101 - 9119) all the cameras there.

ip nat inside source static 192.168.1.15 y.y.y.y  route-map NAT

y.y.y.y - public IP of remote site.

You need to configure these commands on remote router. What model of router you have there? How is connected to the Internet? Show us topology then we can expalin better.

Please rate helpful posts.

Best regards,
Abzal

Hi Abzal,

I tried the above command, it doesnt work.

The router that they are using is Cisco Router 1941.
for now i am using teamviewer software to remote in to 1 of the servers and do the telnet command from there.

Connection to the internet via their ISP internet broadband, connecting to the router.
Judging by the config i post, i believe is their 0/0 interface PPPoe WAN.

1 question, is it normal that i could not ping to their WAN Internet IP?

I believe this description should be their WAN int right?

description Connected To POE - WAN
ip address 172.21.5.90 255.255.255.248
ip nat outside

Please advise.

Emmanuel Valdez
Level 3
Level 3

Hi Yeo,

So if you access to the cameras through a PC/Server you only need reach that machine with remote desktop (I recommend it) with port 3389 so the configuration is the following:

conf t

!

!

ip nat inside source static tcp 192.168.1.15 3389 X.X.X.X 3389

!

where X.X.X.X is the public IP Address from th router.

if you don´t have a static public IP Address and use PPPoE to connect to Internet you can use the following:

conf t

!

!

ip nat inside source static tcp 192.168.1.15 3389 interface dialer YY 3389

!

where YY is the number of the Dialer Interface.

Another way is to NAT every camera to access directly from your location, what is the original administration port of the camera? how do you administer they and view the video from them?

Best regards.

Hi Ef-molina,

I wish i could do that. but my boss didnt want to use RDP.

Hi, when i use internet browser http://whatismyaddress.com, i got this IP address: 213.236.56.233, which i recon that it should be my public internet address, which is pingable from my singapore office.

when i have done the show nat translations in the router i got this.

xxx#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 213.236.56.233:59584 192.168.1.11:59584 37.252.224.5:5938 37.252.224.5:593

tcp 213.236.56.233:49655 192.168.1.15:49655 37.252.225.5:5938 37.252.225.5:593

udp 213.236.56.233:50622 192.168.1.101:50622 132.163.4.9:53  132.163.4.9:53

tcp 213.236.56.233:50753 192.168.1.101:50753 37.252.230.19:5938 37.252.230.19:

38

tcp 213.236.56.233:51036 192.168.1.101:51036 119.82.123.68:5938 119.82.123.68:

38

tcp 213.236.56.233:51041 192.168.1.101:51041 79.140.95.107:80 79.140.95.107:80

tcp 213.236.56.233:51042 192.168.1.101:51042 79.140.95.129:80 79.140.95.129:80

udp 213.236.56.233:52389 192.168.1.101:52389 129.6.13.3:53   129.6.13.3:53

udp 213.236.56.233:52409 192.168.1.101:52409 132.163.4.9:53  132.163.4.9:53

udp 213.236.56.233:52621 192.168.1.101:52621 129.6.13.3:53   129.6.13.3:53

udp 213.236.56.233:61390 192.168.1.101:61390 202.156.196.110:53510 202.156.196

10:53510

udp 213.236.56.233:1025 192.168.1.161:10001 192.168.10.22:2615 192.168.10.22:2

Please advise.

Then your should be like this:

access-list 101 permit  tcp host any range 9101 9119 any

route-map NAT permit 10

match ip add 101

ip nat inside source static 192.168.1.15 213.236.56.233 route-map NAT

then show your config.

Please rate helpful posts.

Best regards,
Abzal

Hi, when i tried it prompted error.

xxx(config)#access-list 101 permit tcp host any range 9101 9110 any
Translating "any"...domain server (212.76.85.145)
                                            ^
% Invalid input detected at '^' marker.

OMS(config)#access-list 101 permit tcp host any range 9101 9110 any
Translating "any"...domain server (212.76.85.145)
                                            ^
% Invalid input detected at '^' marker.

OMS(config)#access-list 101 permit tcp host any range 9101 9119 any
Translating "any"...domain server (212.76.85.145)
                                            ^
% Invalid input detected at '^' marker.

possible to enter this command? access-list 101 permit tcp any range 9101 9119 any?

Please advise.

ok, try this one instead

ip access-list extended PORTFWD

permit tcp any range 9101 9119 any

route-map NAT permit 10

match ip add PORTFWD

ip nat inside source static 192.168.1.15 213.236.56.233 route-map NAT

Best regards,
Abzal

Hi Sorry for the delay, the resulting commands doesnt seems to work.

I tried to internally stream this IP: 213.236.56.233:9101 in India Branch VLC player, also there is nothing on the screen, same here in Singapore branch.

Do i need to copy run start before it can actually works? i am think it is easier to reload the router to orginal configuration for this.

Please advise. 

Abzal
Level 7
Level 7

Hi,
Not pinging ISP address not normal.
Is Internet connection working on your with current config?
I think you have non routable address on your WAN interface that's why it's not working. I mean static nat.
You need public IP addresses for this.


Sent from Cisco Technical Support iPhone App

Best regards,
Abzal
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: