Help with a NAT Command..proably simple

[iansteele]

I have a web camera on the inside of my network with address 192.168.2.170. I want trafic routed through my cisco 17xx router from the outside world to this camera. I have a public IP address say 12.1.5.2 that I want to connect to on the outside and have that adress forward packets to the internal camera. I have set up the following command in my router--

ip nat inside source static tcp 192.168.2.170 80 12.1.5.2 80

--

Now this SHOULD forward outside traffic aimed at 12.1.5.2 to the internal address. Now 12.1.5.2 is NOT the outside address of my router it is just a public IP I wonder if that has anything to do with it
do i need to alter access lists or something.
When I ping the 12.1.5.2 address I get destination net unreachable.
any ideas

 

[itd17]

That command looks good to me. Did you remember to add 'ip nat inside' to the inside ethernet interface, and 'ip nat outside' to the outside dsl/serial interface?

 

[iansteele]

yes these settings are there i am wondering if it has something to do with my access lists. i am providing them here
access-list 1 permit 192.168.2.20
access-list 2 permit 192.168.254.100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 123 permit ip host 192.168.2.20 192.168.0.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 deny ip host 192.168.2.20 any
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 permit tcp any host 12.x.x.x eq 22
access-list 199 permit tcp any host 12.x.x.x eq 443
access-list 199 permit tcp any host 12.x.x.x eq telnet
access-list 199 permit icmp any any
access-list 199 permit tcp any host 12.x.x.x eq ftp
access-list 199 permit tcp any host 12.x.x.x eq smtp
access-list 199 permit tcp any host 12.x.x.x eq 1025
access-list 199 permit tcp any host 12.x.x.x range 8470 8479
access-list 199 permit tcp any host 12.x.x.x range 445 449
access-list 199 permit esp any host 12.x.x.x log
access-list 199 permit udp any eq isakmp host 12.x.x.x log

 

[pmesjar]

To which interfaces are these access-lists bound? Issuing "show ip interface" or "show run" will tell you. My guess is that you are using acl 199 to filter your incoming traffic on your NAT outside router interface. If that is so, then you should add a rule permitting port 80, as I don't see anything like that in you acl.

Also this may solve first part of your problem and that is permitting traffic from outside to inside. But you need to permit traffic also from your inside camera to outside, so add a rule to acl bound to NAT inside interface that will permit outgoing traffic.

Just remeber, with ACLs, default rule is to deny any packet (however it is not shown, but it is there).

Peter Mesjar
CCNA, A+ certified
pmesjar@centrum.sk