I'm having trouble configuring external access to an internal camera DVR device. I have successfully forwarded port 80 to the device and am able to access the logon screen externally but recieve an error while trying to logon on. I have contacted the manufacture of the device and they informed me that the error is related to the firewall blocking TCP ports 37260 and 1600. I have tried multiple ways to open these ports and am unsuccessful at doing so. This device was initially configured using the Cisco SDM software and believe that its default firewall configuration is the issue. It is configured with two VLANS, VLAN1 and VLAN2, with FastEthernet4 as the WAN interface. The DVR device is on VLAN1 with 10.10.10.3 as the IP. I can successfully access the device internally using this IP. Any advice would be greatly appreciated. Thanks ahead of time.
Below is the current configuration:
!This is the running config of the router: 10.10.10.1
!-------------------------
----------
----------
----------
----------
----------
-
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *removed*
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$MmxH$l4KK42ZP3UK9ivyyL4
PmG/
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2714469565
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
cate-27144
69565
revocation-check none
rsakeypair TP-self-signed-2714469565
!
!
crypto pki certificate chain TP-self-signed-2714469565
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373134 34363935 3635301E 170D3032 30333031 30303038
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37313434
36393536 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBF2 9CBF04D4 D5062193 9A788A28 C2DD2D8B A5AD9B7F C448F533 7E821D7F
2C4FC2B2 7FF52427 46BB748B B3B1BBC4 54F146EB 59BEB550 0BA1D7E9 62651C75
F82FB50B DB9B578C 67018CE7 31C0C0CA 34608306 3B5674FC B0E9A67A 53705C48
004CAB81 DC1112A4 01A03F1C 539F80F8 E7728EDA 72B8756B D32E67E3 CDC118D5
17D90203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13526F63 6B6E6573 2E726F63 6B6E6573 2E636F6D 301F0603
551D2304 18301680 1456B3F0 DBAA7D06 83948187 8B80B1E2 D417B3D3 80301D06
03551D0E 04160414 56B3F0DB AA7D0683 9481878B 80B1E2D4 17B3D380 300D0609
2A864886 F70D0101 04050003 818100AD 315CF1E7 6B6676BC C7E01212 45ADF702
65465827 52BFD1F0 F034A281 CBF50762 94C0115A 67884DEE 556ECFC4 71F5B8AF
B84A3546 11EBE1E0 7B2D195F 323C0DBE 8A1D9A0A 34885529 2D52AA6D DD73C2E7
C5912A2A 3E05A235 939425AE 8F4E0038 755DDD3F B9BAA14D 9D1065CC 5E23619F
C665F054 6B8A61E9 9863DE39 881BD5
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server *removed* *removed*
!
ip dhcp pool sdm-pool2
import all
network 192.168.1.0 255.255.255.0
!
!
ip port-map http port tcp 35000 description Cameras
no ip bootp server
ip domain name *removed*.com
ip name-server *removed*
ip name-server *removed*
!
!
!
username administrator privilege 15 secret 5 $1$S7C/$6IHlASWs3Yw2zNf32z
xc50
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any http
match protocol http
class-map type inspect match-all sdm-cls--1
match class-map http
match access-group name Any
class-map type inspect match-any http1
match class-map http
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
policy-map type inspect sdm-policy-http1
class type inspect http1
inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
service-policy type inspect sdm-policy-http1
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
AN$
ip address <wan ip> 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <wan ip>
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool VLAN2 192.168.1.2 192.168.1.254 netmask 255.255.255.0
ip nat pool VLAN1 10.0.0.2 10.0.0.254 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.2 80 <wan ip> 80 extendable
!
ip access-list extended Any
remark SDM_ACL Category=128
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark 2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
no cdp run
!
!
