Cisco 1721 and NATing multiple outside IP 1

[RCanes]

This is something that sounds simple but is proving to be hard to find out how to implement.

I have a 1721 on a T-1.
The router is NATing the Serial IP to the 10.1.1.x computers on the inside network.
we have 3 IP addresses in our ethernet range that we are not using.
I have a webcam server that I cannot get authentification to work on just by using port forwarding. no matter how many ports I forward - I am able to connect to the server, I just can't authenticate my un/pw.

what I would like to do is either:
A - assign one of the unused IPs in the ethernet range to the webcam server
B - Have the router NAT one of the unused IPs from the ethernet range to the webcam server.

does anyone have an idea on how to do this? I can post the router config if needed. I am just wondering if this is possible.

Thanks

 

[michaeling]

Is the authentication being performed by the router, a Radius server or what?

 

[RCanes]

the webcam server is performing the authentification.

 

[michaeling]

Is port 80 the only port required by your webcam?

 

[RCanes]

nope. it's using 3550, 4550, 5550, 4650, and a few others.
I've forward all ports I can find that it's using and I still can't get the un/pw to authenticate. I even tried to forward a range of ports and it won't work.

The router is also providing VPN site-to-site to our corp. office. If I don't forward any ports and I goto the internal IP of the webcam server, it will work just fine inside of our network at the corp office. I am trying to get it working outside the office though.

 

[michaeling]

Well you can use one of your spare public addresses for it. Just seems a shame to waste it.
What's the make and model of the webcam?
If you like, you can send me router config (take out anything sensitive like your crypto keys and real IP address first)and I'll see if I can see whats amiss.

My address is michael@thelings.net

 

[RCanes]

It's an actual server that has 8 cameras hooked to it. It has a software program that runs a webcam so it can viewable over the net. here is the config for the router:
show config
Using 1705 out of 29688 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname canes2
!
enable password .......
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ........ address zzz.zzz.zzz.zzz
!
!
crypto ipsec transform-set canes esp-3des esp-md5-hmac
!
crypto map raising 11 ipsec-isakmp
set peer zzz.zzz.zzz.zzz
set transform-set canes
match address 101
!
!
!
!
interface FastEthernet0
ip address 10.1.2.1 255.255.255.0
ip nat inside
speed auto
half-duplex
no cdp enable
!
interface Serial0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address xxx.xxx.71.197 255.255.255.252 (serial/WAN IP)
ip nat outside
frame-relay interface-dlci 101 IETF
crypto map raising
!
ip nat inside source route-map nonat interface Serial0.1 overload
ip nat inside source static tcp 10.1.2.4 5631 xxx.xxx.71.197 5631 extendable
ip nat inside source static udp 10.1.2.4 5632 xxx.xxx.71.197 5632 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.71.198 (Gateway)
no ip http server
!
!
access-list 101 permit ip 10.1.2.0 0.0.0.255 128.1.0.0 0.0.0.255
access-list 120 deny ip 10.1.2.0 0.0.0.255 128.1.0.0 0.0.0.255
access-list 120 permit ip 10.1.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 120
!
!
line con 0
line aux 0
line vty 0 4
password ...........
login
!
end

canes2#



our ethernet range is xxx.xxx.71.201/30

 

[RCanes]

wondering if it would be possible to assign an unused public IP in our range to the webcam server, and add that ip on the interface of the router?