cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1398
Views
0
Helpful
2
Replies

Router to Router config can communicate one way but not the other.

eliasjalkh
Level 1
Level 1

I have two routers and have connected them to provide access to camera system from production network.

RouterA - Production - 10.10.35.0/24 

RouterB - Camera - 10.10.6.0/24

Need to go from Production to Camera network connecting over port 8000.  I can ping from 10.10.35.x to 10.10.6.x just fine.  Though when trying to connect to port 8000, nothing.  (Camera Network) Traceroute ip 10.10.35.x port 8000 gets to first hop then * * *.  (Prod Network) Traceroute ip 10.10.6.x port 8000 goes through.

 

Router A Config :

interface FastEthernet0
 switchport access vlan 5
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 ip address x.x.x.x 

 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map secure
!
interface Vlan1
 description $ETH_LAN$
 ip address 10.10.35.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip accounting access-violations
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1300
 hold-queue 32 in
 hold-queue 100 out
!
interface Vlan5
 ip address 192.168.253.254 255.255.255.252
 ip access-group 102 out
!
interface Async1
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip verify unicast reverse-path
 ip flow ingress
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly in
 encapsulation ppp
 shutdown
 dialer pool 1
 dialer-group 1
 no cdp enable
!
ip default-gateway 10.10.35.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 10.10.35.135 80 interface GigabitEthernet0 80
ip nat inside source static tcp 10.10.35.135 4010 interface GigabitEthernet0 4010
ip nat inside source static tcp 10.10.35.135 4011 interface GigabitEthernet0 4011
ip nat inside source static tcp 10.10.35.50 59002 interface GigabitEthernet0 59002
ip nat inside source static udp 10.10.35.51 59101 interface GigabitEthernet0 59101
ip nat inside source route-map mustnat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.10.6.0 255.255.255.0 192.168.253.253
!
access-list 1 permit 10.10.35.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit gre host x.x.x.x any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 4010
access-list 101 permit tcp any any eq 4011
access-list 101 permit tcp any any eq 59002
access-list 101 permit tcp any any eq 59101
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 102 permit icmp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255
access-list 102 permit icmp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 8080
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 8000
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 554
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 443
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8080
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8000
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 554
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 443
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq www
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq www
access-list 105 permit ip 10.10.4.0 0.0.3.255 any
access-list 105 permit ip 10.10.40.0 0.0.0.255 any
access-list 105 permit ip x.x.x.x x.x.x.x any
access-list 105 permit ip x.x.x.x x.x.x.x any
access-list 105 permit ip 10.10.35.0 0.0.0.255 any
access-list 110 permit ip 10.10.35.0 0.0.0.255 10.10.4.0 0.0.0.255
access-list 120 deny   ip 10.10.35.0 0.0.0.255 10.10.4.0 0.0.0.255
access-list 120 permit ip 10.10.35.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map mustnat permit 10
 match ip address 120
!

 

 

Router B Config:

!
interface FastEthernet0
 switchport access vlan 5
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description Connected to the Internet
 ip address x.x.x.x
 ip access-group 101 in
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map secure
!
interface Virtual-Template10
 ip unnumbered Vlan1
 peer default ip address pool vpnpool
 ppp encrypt mppe auto required
 ppp authentication ms-chap
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.10.6.25 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 hold-queue 32 in
 hold-queue 100 out
!
interface Vlan5
 ip address 192.168.253.253 255.255.255.252
 ip access-group 102 out
!
ip local pool vpnpool 10.10.4.240 10.10.4.249
ip local pool crypto_pool 192.168.151.1 192.168.151.100
ip default-gateway 10.10.6.25
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.6.121 80 x.x.x.x 80 extendable
ip nat inside source static tcp 10.10.6.121 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.10.6.121 554 x.x.x.x 554 extendable
ip nat inside source static tcp 10.10.6.121 8000 x.x.x.x 8000 extendable
ip nat inside source static tcp 10.10.6.121 8080 x.x.x.x 8080 extendable
ip nat inside source static tcp 10.10.6.121 10554 x.x.x.x 10554 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.10.35.0 255.255.255.0 192.168.253.254
!
access-list 1 permit 10.10.6.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit tcp any any eq 8080
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq 554
access-list 101 permit tcp any any eq 8000
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 10554
access-list 101 permit tcp any any eq www
access-list 102 permit icmp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255
access-list 102 permit icmp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 8080
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 8000
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 554
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 443
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8080
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8000
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 554
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 443
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq www
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq www
access-list 105 permit ip 10.10.8.0 0.0.3.255 any
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ipx.x.x.x.x any
access-list 105 permit ip 10.10.4.0 0.0.3.255 any
access-list 105 permit ip xxxx any
access-list 105 permit ip 10.10.6.0 0.0.0.255 any
access-list 120 deny   ip 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255
access-list 120 deny   ip 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3
access-list 120 permit ip 10.10.6.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map mustnat permit 10
 match ip address 120
!

 

 

I was going to add "ip nat inside source route-map mustnat interface f4 overload" to Router B but decided I would wait and see if you all thought this would help.  Any guidance is appreciated.   

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

I haven't setup cameras before so this may or may not be of help but I think the issue is with your acl on router B.

A TCP connection usually uses a random source port and an application specific destination port. So on Router A your acl is correct ie. allow TCP from 10.10.35.x to 10.10.6.x with a destination port of 8000.

However the return traffic from the camera will have a source port of 8000 not a destination port which your acl is currently set for.

Trying adding this line to acl 102 on router B -

access-list 102 permit tcp 10.10.6.0 0.0.0.255 eq 8000 10.10.35.0 0.0.0.255

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

I haven't setup cameras before so this may or may not be of help but I think the issue is with your acl on router B.

A TCP connection usually uses a random source port and an application specific destination port. So on Router A your acl is correct ie. allow TCP from 10.10.35.x to 10.10.6.x with a destination port of 8000.

However the return traffic from the camera will have a source port of 8000 not a destination port which your acl is currently set for.

Trying adding this line to acl 102 on router B -

access-list 102 permit tcp 10.10.6.0 0.0.0.255 eq 8000 10.10.35.0 0.0.0.255

Jon

Thanks Jon Marshall.  I never even thought of that, and of course that is exactly what was happening.  Thanks for the fresh pair of eyes.

Review Cisco Networking for a $25 gift card