Solved

PAT/NAT to various internal webservers from internet AND internal

Posted on 2013-05-30
3
372 Views
Last Modified: 2013-06-10
I've been boggling my head over the best way to accomplish this and how to accomplish it using the best way!  LOL

Here is what I have:

2 internal networks
- USERNET (all of our regular users, all within a windows domain)
- CAMNET (seperate network for security cameras and NVR, with a basic server on its own domain)

Both networks are behind a Cisco 1941 router, which is our gateway and router (for phone system and VPNs).  The 1941 connects to our internet, with a static IP. (I'll call this OFFICE.STATIC.IP)

We also have a public domain as well, of which is not hosted within.

Problem:
The security camera NVR has its own software to access it from a pc.  Doing this from inside or outside our networks is easy enough, and no problem.  However, the NVR does not have any portable device app to access it (eg. from iPhone, Android, etc.), and there are currently no 3rd party apps available to connect to the NVR.

As such, we have to use 3rd party apps to connect to each camera, individually.

Connecting the app to each camera from within out internal network, using each camera's ip address, is no issue at all.

I need to create a fairly simple method of connecting to each camera from outside of our internal network (the internet) AND from inside, without having 2 entries for each camera in the app (eg. Don't want the app to show "CAMERA 1" with ip camnet:80 and "CAMERA 1 from internet" with ip externalip:12000........(the 1941 would PAT port 12000 to camera1 ip, port 80))

My initial thought and attempt, was creating a sub domain under our public domain.

(cameras.company.com)

And setting the public DNS records to point cameras.company.com to OFFICE.STATIC.IP (the public static IP of our Cisco 1941 router)

From externally (the internet), I would just give each camera it's own port number, and have the 1941 router PAT the incoming connections to the corresponding camera.

eg. (10.0.0.0 is a fake internal network to mimic our camera network)
cameras.company.com:12000 --->1941 PAT--->10.0.0.2:80
cameras.company.com:12001--->1941 PAT--->10.0.0.3:80

Then on the internal side of things, using our Windows 2003 DC (running DNS for inside) have the DNS server resolve cameras.company.com, so that we could use a single address for each camera, that would allow us to view the camera from outside our network (the internet), and from inside our network (without going out to the internet and then back again).

I could not figure out how to perform PAT from inside to inside.

The other alternative idea I had, was to create a seperate public subdomain for each camera (as there are not too many), but that means I would need to still perform some kind of inside to inside PAT, or change some of the cameras to not use port 80 (which I want to avoid).

Confused yet?  I hope I explained that well enough.

Any ideas on what and how I can accomplish this?
0
Comment
Question by:renfrey
3 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
I would create a remote access vpn for this. Depending on what types of devices are connecting in you may be required to configure anyconnect SSL VPN versus the Cisco IPSEC VPN. This way once they are connected they can just use the inside IP addresses like normal without any needs to have dozens of NAT statements.

The other option would be a "jump server" of sorts. Create a workstation/server and allow RDP to come in. From there the user can use the server on the inside to access cameras. This may or may not have a detrimental effect on camera viewing if that's what they're up to. I would suggest putting an ACL or some method of firewall on that server to restrict it's access to just the camera's so that if compromised it doesn't give a hacker full access to your inside network.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
As long as you're not using the Zone-based Policy Firewall, you can use the NAT NVI functionality to accomplish this.

With a standard NAT configuration, you would have something like this:

interface FastEthernet0/0
 ip nat inside
!
interface FastEthernet0/1
 ip nat outside
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip nat inside source static tcp 172.16.0.10 80 interface FastEthernet0/1 80
ip nat inside source list NAT interface FastEthernet0/1 overload

This, unfortunately, won't let you connect to the Internet address of FastEthernet0/1 on 80/tcp due to the hairpinning restrictions of classic NAT.

If you switch to NVI, which looks more like this:

interface FastEthernet0/0
 ip nat enable
!
interface FastEthernet0/1
 ip nat enable
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip nat source static tcp 172.16.0.10 80 interface FastEthernet0/1 80
ip nat source list NAT interface FastEthernet0/1 overload

You can connect to the Internet address of FastEthernet0/1 on 80/tcp no matter which network you're on.
0
 

Author Closing Comment

by:renfrey
Comment Utility
Although I figured this one out shortly before this post, this hit the nail right on the head.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now