Sign in with
Sign up | Sign in
Your question

Accesing Camara IP from Cisco 2801

Tags:
  • Networking
  • Cameras
  • Cisco
Last response: in Networking
Share
May 29, 2014 2:07:53 AM

Hello. I have an IP camera in the direction 192.168.1.251:8251 and a Cisco 2801 router.
I have a nat to access the camera from outside (3G) and working properly.
From the LAN I can also access through your internal address and port.
The camera reports the public IP address to a DDNS server and an application on my phone connects to the camera through the DDNS server that informs the public IP.
Everything works fine except when I try to access the camera from the phone and this is connected to my home wifi (my internal network). If I'm connected to 3G works fine.
It's as if he knew not reach himself departing from himself ....
Any idea?

More about : accesing camara cisco 2801

May 29, 2014 5:45:28 AM

I think you are having the same problem you would have if you tried to access a webpage you are hosting internally, using the external URL. It wont work because ultimately the source and destination network are the same, and a router wont echo traffic back to the same network it came from.

You need to either:


  • Simplest solution: use the IP address of the camera when connecting internally.. if you normally access https://www.myhouseurl.com/camera/login
    just use https://192.168.1.251:8251/camera/login instead.. it will work fine.
  • If you have a local DNS server (this might be your router/gateway), add an entry translating the external URL directly to the internal IP so it bypasses directly to the camera.
  • You can do this directly on the end device, In windows you have something called a "hosts file" (google it), its like a local DNS override which you can alter on that machine, but this probably wont be suitable for your phone as you'd need to edit it each time you use 3g.
    m
    0
    l
    May 29, 2014 8:14:48 AM

    Your problem in general is called hairpin NAT. There are only a very small number of routers that can fix this and a cisco ios configuration is messy.

    You have 2 problems. First is you need to have the destination address converted to the 192.168.1.251 address by the router. That you can accomplish in a IOS based router with some policy routing and a loopback interface as a outside interface. The configuration is called NAT on a stick.

    So now you get the destination address translated correctly and the packet makes it back to the server. Problem is the server will send the traffic directly back to your phone/pc since the address of that devices is on the same subnet. So when the return traffic goes to the device the router can not intercept it and translate the ip back....to make it appear as if it is coming back from the external address. To fix this you must translate the source address also to some other dummy address that is not on the lan...other private addresses are best


    So you are going to have to look the details up but what you want to do is.

    NAT the SOURCE address of traffic going to external server from the internal lan subnet you likely should use a pool address if you have more than one device that needs to do this.

    Policy route traffic destined for the external server from a internal lan to a dummy loopback interface that is defined as a NAT OUTSIDE interface.

    m
    0
    l
    Related resources
    May 30, 2014 8:42:22 AM

    Thank you both.
    I think the solution I like best is that proposed Urumiko.
    • If you have a local DNS server (This Might be your router / gateway), add an entry translating the external URL Directly to the internal IP so it bypasses Directly to the camera.
    But my skills fail me to insert that line.
    Could you tell me exactly the input that should be inserted and that interface?.
    I copy my router settings.
    Thank you.


    User Access Verification

    Current configuration : 1942 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    !
    no aaa new-model
    dot11 syslog
    ip source-route
    !
    !
    ip dhcp excluded-address 192.168.1.230 192.168.1.252
    ip dhcp excluded-address 192.168.1.1 192.168.1.2
    ip dhcp excluded-address 192.168.1.4 192.168.1.200
    !
    ip dhcp pool Alberto
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    !
    !
    ip cef
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    username xxxxxxxxxxxxxxxxxxxxxxxxx
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface ATM0/3/0
    no ip address
    no atm ilmi-keepalive
    pvc 8/32
    pppoe-client dial-pool-number 1
    !
    !
    interface Dialer0
    ip address negotiated
    no ip redirects
    no ip unreachables
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap chap callin
    ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxx
    ppp chap password 0 xxxxxxxxxxxxxx
    ppp ipcp dns request
    ppp ipcp wins request
    ppp ipcp route default
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http authentication local
    no ip http secure-server
    !
    ip nat inside source list 100 interface Dialer0 over
    ip nat inside source static tcp 192.168.1.252 8252 interface Dialer0 8252
    ip nat inside source static tcp 192.168.1.251 8251 interface Dialer0 8251
    !
    access-list 100 permit ip any any
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login local
    transport input telnet
    transport output none
    !
    scheduler allocate 20000 1000
    end

    Router#
    m
    0
    l
    June 2, 2014 6:25:08 AM

    bill001g - Thanks that's very informative. I've never thought about how you'd remedy it on cisco kit, or known the correct terms :) 

    Apgonza - I think bill001g is suggesting the same thing as me he just knows what he's talking about more and is using the correct terms which makes it sound more scary :p .

    I've never set a router up as a DNS server so cant comment.
    Another way to go would be to set up a standalone DNS server, such as UBUNTU + Bind 9. That'll run on just about anything. And you could direct your computers to it using DHCP. It might not be worth the electricity bill for the sake of saving 1 URL in your favorites instead of 2 though :) 
    m
    0
    l
    !