Link to home
Start Free TrialLog in
Avatar of YeoBoonWah
YeoBoonWah

asked on

Cisco Router 1941

Hello guys, need some help, i am very green in Networking.

I have a cisco router at another country which is islolated from our singapore branch.

what our company is trying to do is to open up 18 ports from 9101 - 9119 for this cisco router 1941 which is at oversea site. This 18 ports is for the wireless cam over at the other office.

after which we will want to access the wireless cam through the WAN IP:9101 ~ 9119?

from my understanding, i believe i will need to get 1 WAN IP address to translate to their Internal IP and then allow any to this WAN IP.

Below is the config

boot-start-marker
boot-end-marker
!
!
enable secret 4 06YFDUHH61wAE/kLkDq9BGho1QM5EnRtoyr8cHAUg.2
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.161 192.168.1.172
!
ip dhcp pool LAN
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.254
 dns-server 212.76.85.145 213.236.32.2
 lease 0 2
!
!
ip name-server 212.76.85.145
ip name-server 213.236.32.2
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FCZ162091HZ
!
!
username wael secret 4 n0V/y9uy56hzE90yiFc4hFTclRUtqGgKuR3D.Rw5PME
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Connected To POE - WAN
 ip address 172.21.5.90 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.1.254 255.255.255.0 secondary
 ip address 213.236.56.233 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 172.21.5.89
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input all
!
scheduler allocate 20000 1000
end

Please advise the command to do this.

Best Regards
Avatar of unfragmented
unfragmented

It sounds like you want static port address translation (PAT), sometimes called 'port forwarding'.  The following command should be useful to you as a template:-

ip nat inside source static tcp 192.168.1.101 80 interface gi0/1 9101

You will need one of these lines for each port that you want forwarded.
Avatar of YeoBoonWah

ASKER

does that mean that i dont need to use the WAN IP to access that wireless cam there?
only 192.168.1.101:9101~9119 will do?

Please advise
not quite.

That line basically sets up a static entry in the NAT table.

Inner Address : Inner Port : Outer Address : Outer Port
---------------------------------------------------------------------------------------------
192.168.1.101  : 80              :       "interface"    : 9101

The 'interface' keyword automatically substitutes whatever IP address was assigned to the 'outside' interface (useful when ISP assigns IP address dynamically).

So with this entry you'd browse to the WAN address on port 9101 and it would be translated to 192.168.1.101 on port 80.
Hi Thanks alot, but is it a must to have a source port address -> detination port?
i think what i need is only doing a NAT from WAN IP --> LAN IP and open up the 18 ports.

I understand from my vendor supporting the wireless cam.

Please advise.
Not sure I understand the last question.  You can translate to the same port if you want, ie

Inner Address : Inner Port : Outer Address : Outer Port
---------------------------------------------------------------------------------------------
192.168.1.101  : 9101            :       "interface"    : 9101
Thanks, i will try it.

Anyway 1 last question, how to verify whether the ports are successfully opened?

Please advise.
Avatar of asavener
For NAT rule, you need the global (public) IP address and the inside (private) IP address.  You can set up a NAT rule for all traffic to an IP, or you can set up port address translation (PAT) rules for individual ports.

To limit the traffic to certain source IP addresses, you would configure an access list and apply it to the outside interface.
try this.  It should
a) allow outbound and returning traffic (CBAC)
b) create the PAT rules without breaking access to the router itself (ip nat inside....)
c) allow the correct traffic to the camera (access list):

ip inspect name CBAC ftp
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp

ip access-list extended FW-G0/0_v1
permit tcp host <source ip> host 172.21.5.90 range 9101 9119
deny ip any any

int g0/0
ip inspect CBAC out
ip access-group FW-G0/0_v1 in

ip nat inside source static tcp 192.168.1.101 9101 172.21.5.90 9101
...
<repeat for other ports>
...
ip nat inside source static tcp 192.168.1.101 9101 172.21.5.90 9119
To confirm the translations are in place, do a show ip nat translation.  This will show you all translations including dynamic translations, so you may want to filter the output with a '| include'.

You should see an entry (or entries) with your configured respective addresses and ports.
Hi below is the router Nat translations, is the nat in place?

tcp 213.236.56.233:9101 192.168.1.181:9101 ---

OMS#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 213.236.56.233:59584 192.168.1.11:59584 37.252.224.5:5938 37.252.224.5:593
tcp 213.236.56.233:49655 192.168.1.15:49655 37.252.225.5:5938 37.252.225.5:593
udp 213.236.56.233:50622 192.168.1.101:50622 132.163.4.9:53  132.163.4.9:53
tcp 213.236.56.233:50753 192.168.1.101:50753 37.252.230.19:5938 37.252.230.19:
38
tcp 213.236.56.233:51036 192.168.1.101:51036 119.82.123.68:5938 119.82.123.68:
38
tcp 213.236.56.233:51041 192.168.1.101:51041 79.140.95.107:80 79.140.95.107:80
tcp 213.236.56.233:51042 192.168.1.101:51042 79.140.95.129:80 79.140.95.129:80
udp 213.236.56.233:52389 192.168.1.101:52389 129.6.13.3:53   129.6.13.3:53
udp 213.236.56.233:52409 192.168.1.101:52409 132.163.4.9:53  132.163.4.9:53
udp 213.236.56.233:52621 192.168.1.101:52621 129.6.13.3:53   129.6.13.3:53
udp 213.236.56.233:61390 192.168.1.101:61390 202.156.196.110:53510 202.156.196
10:53510
udp 213.236.56.233:1025 192.168.1.161:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1029 192.168.1.162:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1026 192.168.1.163:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1027 192.168.1.164:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1032 192.168.1.165:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1031 192.168.1.166:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1024 192.168.1.167:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:10001 192.168.1.168:10001 192.168.10.22:2615 192.168.10.22:
15
udp 213.236.56.233:1028 192.168.1.169:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1030 192.168.1.170:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:1033 192.168.1.171:10001 192.168.10.22:2615 192.168.10.22:2
5
udp 213.236.56.233:2627 192.168.1.181:2627 64.113.32.5:123   64.113.32.5:123
tcp 213.236.56.233:4066 192.168.1.181:4066 91.198.22.70:80   91.198.22.70:80
tcp 213.236.56.233:9101 192.168.1.181:9101 ---               ---
tcp 213.236.56.233:2724 192.168.1.183:2724 216.146.39.70:80  216.146.39.70:80
tcp 213.236.56.233:2491 192.168.1.186:2491 216.146.38.70:80  216.146.38.70:80
udp 213.236.56.233:2146 192.168.1.187:2146 64.113.32.5:123   64.113.32.5:123
udp 213.236.56.233:2185 192.168.1.189:2185 64.113.32.5:123   64.113.32.5:123
tcp 213.236.56.233:4158 192.168.1.190:4158 91.198.22.70:80   91.198.22.70:80
tcp 213.236.56.233:4505 192.168.1.191:4505 91.198.22.70:80   91.198.22.70:80
udp 213.236.56.233:2112 192.168.1.192:2112 64.113.32.5:123   64.113.32.5:123
tcp 213.236.56.233:2083 192.168.1.193:2083 216.146.38.70:80  216.146.38.70:80
udp 213.236.56.233:2160 192.168.1.193:2160 64.113.32.5:123   64.113.32.5:123
udp 213.236.56.233:2621 192.168.1.194:2621 64.113.32.5:123   64.113.32.5:123
tcp 213.236.56.233:2593 192.168.1.195:2593 216.146.38.70:80  216.146.38.70:80
tcp 213.236.56.233:4819 192.168.1.197:4819 216.146.39.70:80  216.146.39.70:80

basically the IP cam for the country is from 192.168.1.181 ~ 198, what i am trying to do is to use VLC Player to try stream from our Singapore Office. Using the WAN IP:9101 ~ 9119

Please refer to the attach.
Book2.xlsx
ASKER CERTIFIED SOLUTION
Avatar of asavener
asavener
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi can i ask instead of using 172.21.5.90, can i use the ip of 172.21.5.91? Since i have calculate the subnet mask, i should have a 6 host of 89 - 94?
You can use any address that gets routed to you.
I am not sure if this Cisco document "Configuring Network Address Translation: Getting Started" http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic8 will be of any use.