PAT/NAT to various internal webservers from internet AND internal
Posted on 2013-05-30
I've been boggling my head over the best way to accomplish this and how to accomplish it using the best way! LOL
Here is what I have:
2 internal networks
- USERNET (all of our regular users, all within a windows domain)
- CAMNET (seperate network for security cameras and NVR, with a basic server on its own domain)
Both networks are behind a Cisco 1941 router, which is our gateway and router (for phone system and VPNs). The 1941 connects to our internet, with a static IP. (I'll call this OFFICE.STATIC.IP)
We also have a public domain as well, of which is not hosted within.
The security camera NVR has its own software to access it from a pc. Doing this from inside or outside our networks is easy enough, and no problem. However, the NVR does not have any portable device app to access it (eg. from iPhone, Android, etc.), and there are currently no 3rd party apps available to connect to the NVR.
As such, we have to use 3rd party apps to connect to each camera, individually.
Connecting the app to each camera from within out internal network, using each camera's ip address, is no issue at all.
I need to create a fairly simple method of connecting to each camera from outside of our internal network (the internet) AND from inside, without having 2 entries for each camera in the app (eg. Don't want the app to show "CAMERA 1" with ip camnet:80 and "CAMERA 1 from internet" with ip externalip:12000........(the 1941 would PAT port 12000 to camera1 ip, port 80))
My initial thought and attempt, was creating a sub domain under our public domain.
And setting the public DNS records to point cameras.company.com to OFFICE.STATIC.IP (the public static IP of our Cisco 1941 router)
From externally (the internet), I would just give each camera it's own port number, and have the 1941 router PAT the incoming connections to the corresponding camera.
eg. (10.0.0.0 is a fake internal network to mimic our camera network)
cameras.company.com:12000 --->1941 PAT--->10.0.0.2:80
Then on the internal side of things, using our Windows 2003 DC (running DNS for inside) have the DNS server resolve cameras.company.com, so that we could use a single address for each camera, that would allow us to view the camera from outside our network (the internet), and from inside our network (without going out to the internet and then back again).
I could not figure out how to perform PAT from inside to inside.
The other alternative idea I had, was to create a seperate public subdomain for each camera (as there are not too many), but that means I would need to still perform some kind of inside to inside PAT, or change some of the cameras to not use port 80 (which I want to avoid).
Confused yet? I hope I explained that well enough.
Any ideas on what and how I can accomplish this?