08-04-2015 02:17 PM - edited 03-08-2019 01:14 AM
I have two routers and have connected them to provide access to camera system from production network.
RouterA - Production - 10.10.35.0/24
RouterB - Camera - 10.10.6.0/24
Need to go from Production to Camera network connecting over port 8000. I can ping from 10.10.35.x to 10.10.6.x just fine. Though when trying to connect to port 8000, nothing. (Camera Network) Traceroute ip 10.10.35.x port 8000 gets to first hop then * * *. (Prod Network) Traceroute ip 10.10.6.x port 8000 goes through.
Router A Config :
interface FastEthernet0
switchport access vlan 5
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address x.x.x.x
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect Firewall out
ip virtual-reassembly in
duplex auto
speed auto
crypto map secure
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.35.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
hold-queue 32 in
hold-queue 100 out
!
interface Vlan5
ip address 192.168.253.254 255.255.255.252
ip access-group 102 out
!
interface Async1
no ip address
encapsulation slip
!
interface Dialer1
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip inspect Firewall out
ip virtual-reassembly in
encapsulation ppp
shutdown
dialer pool 1
dialer-group 1
no cdp enable
!
ip default-gateway 10.10.35.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 10.10.35.135 80 interface GigabitEthernet0 80
ip nat inside source static tcp 10.10.35.135 4010 interface GigabitEthernet0 4010
ip nat inside source static tcp 10.10.35.135 4011 interface GigabitEthernet0 4011
ip nat inside source static tcp 10.10.35.50 59002 interface GigabitEthernet0 59002
ip nat inside source static udp 10.10.35.51 59101 interface GigabitEthernet0 59101
ip nat inside source route-map mustnat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.10.6.0 255.255.255.0 192.168.253.253
!
access-list 1 permit 10.10.35.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit gre host x.x.x.x any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 4010
access-list 101 permit tcp any any eq 4011
access-list 101 permit tcp any any eq 59002
access-list 101 permit tcp any any eq 59101
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 102 permit icmp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255
access-list 102 permit icmp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 8080
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 8000
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 554
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq 443
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8080
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8000
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 554
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 443
access-list 102 permit tcp 10.10.35.0 0.0.0.255 10.10.6.0 0.0.0.255 eq www
access-list 102 permit tcp 10.10.35.0 0.0.0.255 192.168.253.252 0.0.0.3 eq www
access-list 105 permit ip 10.10.4.0 0.0.3.255 any
access-list 105 permit ip 10.10.40.0 0.0.0.255 any
access-list 105 permit ip x.x.x.x x.x.x.x any
access-list 105 permit ip x.x.x.x x.x.x.x any
access-list 105 permit ip 10.10.35.0 0.0.0.255 any
access-list 110 permit ip 10.10.35.0 0.0.0.255 10.10.4.0 0.0.0.255
access-list 120 deny ip 10.10.35.0 0.0.0.255 10.10.4.0 0.0.0.255
access-list 120 permit ip 10.10.35.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map mustnat permit 10
match ip address 120
!
Router B Config:
!
interface FastEthernet0
switchport access vlan 5
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description Connected to the Internet
ip address x.x.x.x
ip access-group 101 in
ip nat outside
ip inspect Firewall out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map secure
!
interface Virtual-Template10
ip unnumbered Vlan1
peer default ip address pool vpnpool
ppp encrypt mppe auto required
ppp authentication ms-chap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.6.25 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
hold-queue 32 in
hold-queue 100 out
!
interface Vlan5
ip address 192.168.253.253 255.255.255.252
ip access-group 102 out
!
ip local pool vpnpool 10.10.4.240 10.10.4.249
ip local pool crypto_pool 192.168.151.1 192.168.151.100
ip default-gateway 10.10.6.25
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.6.121 80 x.x.x.x 80 extendable
ip nat inside source static tcp 10.10.6.121 443 x.x.x.x 443 extendable
ip nat inside source static tcp 10.10.6.121 554 x.x.x.x 554 extendable
ip nat inside source static tcp 10.10.6.121 8000 x.x.x.x 8000 extendable
ip nat inside source static tcp 10.10.6.121 8080 x.x.x.x 8080 extendable
ip nat inside source static tcp 10.10.6.121 10554 x.x.x.x 10554 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.10.35.0 255.255.255.0 192.168.253.254
!
access-list 1 permit 10.10.6.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit ip x.x.x.x x.x.x.x any
access-list 101 permit tcp any any eq 8080
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq 554
access-list 101 permit tcp any any eq 8000
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 10554
access-list 101 permit tcp any any eq www
access-list 102 permit icmp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255
access-list 102 permit icmp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 8080
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 8000
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 554
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq 443
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8080
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 8000
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 554
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq 443
access-list 102 permit tcp 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255 eq www
access-list 102 permit tcp 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3 eq www
access-list 105 permit ip 10.10.8.0 0.0.3.255 any
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ipx.x.x.x.x any
access-list 105 permit ip 10.10.4.0 0.0.3.255 any
access-list 105 permit ip xxxx any
access-list 105 permit ip 10.10.6.0 0.0.0.255 any
access-list 120 deny ip 10.10.6.0 0.0.0.255 10.10.35.0 0.0.0.255
access-list 120 deny ip 10.10.6.0 0.0.0.255 192.168.253.252 0.0.0.3
access-list 120 permit ip 10.10.6.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map mustnat permit 10
match ip address 120
!
I was going to add "ip nat inside source route-map mustnat interface f4 overload" to Router B but decided I would wait and see if you all thought this would help. Any guidance is appreciated.
Solved! Go to Solution.
08-05-2015 06:02 AM
I haven't setup cameras before so this may or may not be of help but I think the issue is with your acl on router B.
A TCP connection usually uses a random source port and an application specific destination port. So on Router A your acl is correct ie. allow TCP from 10.10.35.x to 10.10.6.x with a destination port of 8000.
However the return traffic from the camera will have a source port of 8000 not a destination port which your acl is currently set for.
Trying adding this line to acl 102 on router B -
access-list 102 permit tcp 10.10.6.0 0.0.0.255 eq 8000 10.10.35.0 0.0.0.255
Jon
08-05-2015 06:02 AM
I haven't setup cameras before so this may or may not be of help but I think the issue is with your acl on router B.
A TCP connection usually uses a random source port and an application specific destination port. So on Router A your acl is correct ie. allow TCP from 10.10.35.x to 10.10.6.x with a destination port of 8000.
However the return traffic from the camera will have a source port of 8000 not a destination port which your acl is currently set for.
Trying adding this line to acl 102 on router B -
access-list 102 permit tcp 10.10.6.0 0.0.0.255 eq 8000 10.10.35.0 0.0.0.255
Jon
08-05-2015 06:13 AM
Thanks Jon Marshall. I never even thought of that, and of course that is exactly what was happening. Thanks for the fresh pair of eyes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide