WIXLIB

Smart TipsThis Smart Tip document provides step-by-step guidance for configuring dynamicDDNS (DDNS) and port forwarding on Cisco small business routers for providingsecure access to an internal web server and an IP video camera from the publicInternet.OverviewCisco Small Business routers provide an advanced Internet-sharing network solutionto meet the needs of small businesses. Multiple computers in the small businessoffice can share the Internet connection through connections with its integratedswitch ports, attached switches or wireless access points. The router’s 10/100Ethernet WAN interface connects directly to the broadband DSL or to a cable modemwith VPN and Firewall capability.However, providing access from the public Internet to network servers, networkservices, or IP video surveillance cameras on the internal network is challenging dueto the following reasons: The internal local area network (LAN) must be fully protected from unauthorizedusers on the public Internet by a firewall, which prevents inbound connectionsexcept for authorized access to specific network resources. Private IP addresses are assigned to the hosts in the internal network to reducethe usage of public IP addresses, of which there is a limited supply. For thesehosts to communicate with the public Internet, network address translation (NAT)must translate each private IP address to a public IP address. Many small businesses today use broadband Internet connections. Thebroadband Internet connection receives a dynamic public IP address from theservice provider, which is not static and may change frequently.Combining the router’s dynamic DDNS and port forwarding features provides asimple solution that allows controlled, secure access to the router’s WAN interfaceand the internal network from the public Internet.Enabling WAN Public Access with DDNS and PortKey FeaturesDynamic DNSDynamic DNS (DDNS) is a service that maps Internet domain names to IP addresses.Unlike DNS, which only works with static IP addresses, DDNS is designed to supportdynamic IP addresses, such as those assigned by a DHCP service. DDNS is a goodfit for small business networks that receive dynamic public addresses from anInternet service provider.Some DDNS providers, such as dyndns.com, provide dynamic DDNS services free ofcharge. To use it, sign up with a DDNS provider, add the Fully Qualified Domain Name(FQDN) for the router, and configure the Cisco router to automatically update the WANIP address associated with its FQDN. Now you can access the network resource andWAN router using the FQDN without knowing its current public IP address.Port ForwardingPort forwarding opens a specific TCP or UDP port to a server behind the router firewall,allowing all incoming traffic on that port to be sent directly to the specific server. Thisfeature permits connections between external hosts and services within a private LAN.Figure 1DDNS and Port Forwarding Network DiagramInternal Server:192.168.1.100http://myrv120w.dyndns.orgWAN RouterInternetLANIP Video Camera:192.168.1.90WAN IP: Dynamic (e.g. 128.107.139.104)DDNS Host: g WAN Public Access with DDNSand Port ForwardingPage 1

Configuring DDNS and Port Forwarding on Cisco SmallSmart Tips for Small BusinessesFeatured Products Cisco RV120W Wireless-N VPN Firewall Router (GUI configuration screens ofthis router are shown in this document as an example)Cisco RV220W Wireless-N Network Security FirewallCisco RV042, RV042G, RV082, RV016, RVL200, WRVS4400N, and WRV210small business routersCisco RV180/180W Wireless-N Multifunction VPN FirewallDesign TipsWAN IP Address—The ISP may provide either a dynamically assigned IP addressor a statically assigned IP address to the WAN router. For a static IP address, DDNSis not necessary, and using the IP address with port forwarding is sufficient toaccess the server from the Internet.DDNS—An account needs to be created on the DDNS provider such asdyndns.com or tzo.com. Within the account, various DDNS host entries are created.The administrator should create a DDNS host name for the router WAN IP address.The router is configured to update the DDNS entry instantly through HTTPwhenever the IP address is changed.Port Forwarding—It is important to know the service ports that the server uses.Common service ports such as web service or e-mail service are predefined on therouter for easy configuration. Any customized service can also be created based onits TCP or UDP ports number. Port forwarding simplifies the configuration when youdo not deploy the same service on multiple servers.LAN IP Address—It is highly recommended that the internal server or IP camerathat uses port forwarding is configured with a local static IP address instead ofgetting a DHCP address from the router. Using a DHCP address will invalidate theport forwarding rule if the IP address on the internal device changes. The static IPaddress configured should not be part of the same DHCP address pool. Forward port 1028 to port 80 on an IP video camera 192.168.1.90Forward RTSP protocol to the video camera RTSP portWith this configuration, remote PCs and mobile devices can access internalservices using web browsers and applications from the public Internet.Configuring DDNS and Port Forwarding onCisco Small Business RoutersPreconfiguration ChecklistConnect the Ethernet cable between the WAN port on the RV router and theEthernet port on the DSL or cable modem. Turn on the RV router and then connectinternal PCs, servers, and IP video cameras to the LAN switch or the switch ports onthe RV router. Refer to the Cisco Small Business Smart Tips document regardingconnecting a router and switch with VLANs and trunks to complete the LANsettings.Make sure the local PCs and servers protected by the RV router firewall are able tocommunicate with each other and with the router. Ensure that the internal webserver has the IP address of 192.168.1.100 and change the WVC210 IP video camerato use the static IP address 192.168.1.90. Refer to the IP Video Surveillance SmartSetup Guide for guidance configuring the IP address of WVC210 IP video camera.Configuring WAN AccessThe default WAN setting of the RV router is set to get its IP address dynamically fromthe ISP. The firewall and NAT are also enabled by default. There is no furtherconfiguration needed to enable basic WAN access.Step 1 Go to Networking WAN IPv4 WAN Configuration and verify that theInternet address source and DNS servers are set to Get Dynamically from ISP.Network DiagramFigure 1 illustrates a sample implementation of DDNS and port forwarding using aCisco small business router.The WAN router receives its IP address dynamically and has both the firewall andNAT enabled by default. In this example, the WAN router can be accessed by itsFQDN (myrv120w.dyndns.org). To make this work, the DDNS host entrymyrv120w.dyndns.org is mapped to the dynamic IP address of the router’s WANInterface.NoteIf the address is assigned statically by the ISP, set the IP address source toUse Static IP Address and enter the specific IP address, subnet mask anddefault router information provided by the ISP.Port forwarding is configured as follows: Forward port 80 to port 80 on the web server on the internal LAN (192.168.1.100)Enabling WAN Public Access with DDNS and PortPage 2

Configuring DDNS and Port Forwarding on Cisco SmallSmart Tips for Small BusinessesFigure 2Verifying WAN ConfigurationFigure 3Adding a New Hostname on the dyndns.com WebsiteStep 2 Go to Status System Summary and in the WAN information (IPv4)section, verify that the router receives its IP address, subnet mask, gateway, andDNS information from the ISP and that NAT is enabled.In this example, the host name myrv120w.dyndns.org is created for the RV router.Configure DDNS SettingsStep 2In this section, we will create the DDNS entry myrv120w.dyndns.org for the WANrouter and configure the WAN router to update this DDNS entry automatically withits current WAN IP address whenever it changes.Step 11.Configure the DDNS account.If you don’t have a DDNS account, go to http://www.dyndns.com to apply for aDDNS account.A valid e-mail address is required to activate the account. The basic service is freeof charge.2.Once the account is approved and activated, log in and go to My Services My Hosts. Click Add Host Service to create a new DDNS host name for theRV router.Enabling WAN Public Access with DDNS and Port3.Enter any IP address, such as 1.1.1.1, for now, and click Add to Cart tocomplete the configuration.Configure the Cisco router.1.Log into the RV router and Go to Networking Dynamic DNS to selectDynDNS.com for the DDNS service.2.Enter myrv120w.dyndns.org for Host and Domain Name and enter theusername and password for your dyndns.com account.3.Check Update every 30 days to configure the router to update the hostinformation on DynDNS.com and keep the subscription active after the 30-daytrial.4.Click Save to cause the router to update the DDNS entry online, immediately,with its current WAN IP address.The DDNS setting page now displays the messages: Operation succeeded andWAN (DDNS Status: DDNS updated with IP address 128.107.139.104).Page 3

Configuring DDNS and Port Forwarding on Cisco SmallSmart Tips for Small BusinessesFigure 4DDNS Setting PageFigure 5Step 2Custom Services ScreenAdd the first port forwarding rule for internal Web server access.After creating this rule, HTTP traffic (TCP port 80) will be redirected to the HTTP port forthe internal web server (192.168.1.100).For the DDNS settings to take effect immediately, the router must have anactive Internet connection. You can also log into dyndns.com to verify that thehost entry has a newly updated IP address.NoteConfiguring Port Forwarding1.Go to Firewall Port Forwarding and click Add.2.Select HTTP in Service, change the Action to Always Allow, and select Anyfrom the Source Users pull-down selection list.3.Enter the internal web server IP address (192.168.1.100) for Destination IP.4.Select Same as incoming port for Forward to Port and click Save.A rule should now be displayed in the summary.In this section, you will configure port forwarding for the internal web server192.168.1.100 and an internal IP video camera with the IP address 192.168.1.90. Usersfrom the public Internet will then be able to access the web server usinghttp://myrv120w.dyndns.org and to access the IP video camera web page usinghttp://myrv120w.dyndns.org:1028 or the IP video camera’s RTSP stream directlyusing rtsp://myrv120w.dyndns.org/mobile.sdp.Step 1Create a new service to be used for port forwarding.1.Go to Firewall Access Control Custom Service.2.Click Add to create a service for TCP port 1028.3.Enter TCP 1028 for the name and specify TCP as the Type and set both StartPort and Finish Port to 1028.Enabling WAN Public Access with DDNS and PortPage 4