Solved: No need of any access-list to

randy kruen · ‎04-22-2017

Hi. I am working with a Cisco 1721, fe0 faces the internet with a dynamic address, serial0 feeds 3 subnets downstream, and has a wic 4esw card for 4 local ports. I am trying to port forward a camera on one of the local ports. I have added the parameter to my config: ip nat inside source static tcp 192.168.1.3 8090 interface FastEthernet0 8090. It is not yet working, I think I also have to update my access-list? I am not sure what needs to be added to the list. Thanks for looking at this!

Randy

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool vlan1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 24.153.23.66 24.153.22.67
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
duplex full
speed 100
!
interface FastEthernet2
duplex full
speed 100
!
interface FastEthernet3
duplex full
speed 100
!
interface FastEthernet4
duplex full
speed 100
!
interface Serial0
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
service-module t1 clock source internal
service-module t1 timeslots 1-24
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
vlan-id dot1q 2
exit-vlan-config
!
ip forward-protocol nd
ip route 192.168.3.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1
ip route 192.168.5.0 255.255.255.0 192.168.2.1
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.3 8090 interface FastEthernet0 8090
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login local
!
ntp clock-period 17180036
ntp server 129.6.15.29
ntp server 129.6.15.28
end

singhkulbir29881 · ‎04-23-2017

It's my pleasure to help you. If it was helpful please rate this or marked it as answered.

Thank you :-)

View solution in original post

singhkulbir29881 · ‎04-22-2017

Hi randy kruen,

1) What is the IP assigned to interface fe0? Is this a public IP?

2) Can you please post the " show ip nat translation" output while you are trying to access cameras.

randy kruen · ‎04-22-2017

Hi, and thankyou for your quick response! Fe0 faces the internet on a public dhcp address, I would rather not publish that address if I dont have to. Here is the response to the command:

C1721#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 --- ---
tcp 173.33.xxx.xxx:63767 192.168.5.7:63767 172.217.8.174:443 172.217.8.174:443

I am not getting outside local or global addresses assigned. does that help?

Thanks again,

Randy

randy kruen · ‎04-22-2017

From what I have been reading I think I have to configure an access-list for this to work, but I am not sure.

Randy

singhkulbir29881 · ‎04-22-2017

No need of any access-list to make it work.

Outside local or global addresses will be seen after adding the keyword "extendable" and traffic is hitting at the router fe0 interface that matching the NAT statement. Please add the following statement and check whether you see the extended entries.

ip nat inside source static tcp 192.168.1.3 8090 interface FastEthernet0 8090 extendable

Also verify the following:-

1) Are you able to ping 192.168.1.3 using source IP of Fe0 " ping 192.168.1.3 source fe0 " ?

2) Is this communication using protocol TCP and port number 8090 ?

3) Is the traffic hitting the router's fe0 interface? If traffic is hitting you will see the extended entries like the following;

tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 x.x.x.x:xxxx x.x.x.x:xxxx
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 --- ---

randy kruen · ‎04-22-2017

Hi, and thanks again for your help. I cannot add the keyword extendable to the line: ip nat inside source static tcp 192.168.1.3 8090 interface FastEthernet0 8090, I get the result: "% Invalid input detected at '^' marker", marker at e. Running the line with a ? instead of extendable returns only cr as an option. I can ping the port using the following: ping 192.168.1.3 source fastethernet0 with success.

C1721#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
udp 173.33.xxx.xxx:2076 192.168.1.3:2076 23.92.25.70:8082 23.92.25.70:8082
tcp 173.33.xxx.xxx:8090 192.168.1.3:8090 --- ---
udp 173.33.xxx.xxx:8090 192.168.1.3:8090 --- ---
udp 173.33.xxx.xxx:123 192.168.4.10:123 17.253.14.125:123 17.253.14.125:123

singhkulbir29881 · ‎04-22-2017

Try to telnet 173.33.xxx.xxx using port 8090 (You can use "putty" ). And see what response you will get.

randy kruen · ‎04-23-2017

Thanks for your help, it was much appreciated.Knowing that my config was probably correct, I looked elsewhere, and found that the router was not allowing me to connect to the camera public address, although it would allow me to connect to the camera internal address. I can connect to the camera's now via the public address and port number, if my pc is NOT connected via an internal address off my router, ie, connected to the internet not through the same router. All is good!

Thanks again,

Randy

singhkulbir29881 · ‎04-23-2017

It's my pleasure to help you. If it was helpful please rate this or marked it as answered.

Thank you :-)

Port forwarding on Cisco 1721