Solved

PAT/NAT to various internal webservers from internet AND internal

Posted on 2013-05-30
3
380 Views
Last Modified: 2013-06-10
I've been boggling my head over the best way to accomplish this and how to accomplish it using the best way!  LOL

Here is what I have:

2 internal networks
- USERNET (all of our regular users, all within a windows domain)
- CAMNET (seperate network for security cameras and NVR, with a basic server on its own domain)

Both networks are behind a Cisco 1941 router, which is our gateway and router (for phone system and VPNs).  The 1941 connects to our internet, with a static IP. (I'll call this OFFICE.STATIC.IP)

We also have a public domain as well, of which is not hosted within.

Problem:
The security camera NVR has its own software to access it from a pc.  Doing this from inside or outside our networks is easy enough, and no problem.  However, the NVR does not have any portable device app to access it (eg. from iPhone, Android, etc.), and there are currently no 3rd party apps available to connect to the NVR.

As such, we have to use 3rd party apps to connect to each camera, individually.

Connecting the app to each camera from within out internal network, using each camera's ip address, is no issue at all.

I need to create a fairly simple method of connecting to each camera from outside of our internal network (the internet) AND from inside, without having 2 entries for each camera in the app (eg. Don't want the app to show "CAMERA 1" with ip camnet:80 and "CAMERA 1 from internet" with ip externalip:12000........(the 1941 would PAT port 12000 to camera1 ip, port 80))

My initial thought and attempt, was creating a sub domain under our public domain.

(cameras.company.com)

And setting the public DNS records to point cameras.company.com to OFFICE.STATIC.IP (the public static IP of our Cisco 1941 router)

From externally (the internet), I would just give each camera it's own port number, and have the 1941 router PAT the incoming connections to the corresponding camera.

eg. (10.0.0.0 is a fake internal network to mimic our camera network)
cameras.company.com:12000 --->1941 PAT--->10.0.0.2:80
cameras.company.com:12001--->1941 PAT--->10.0.0.3:80

Then on the internal side of things, using our Windows 2003 DC (running DNS for inside) have the DNS server resolve cameras.company.com, so that we could use a single address for each camera, that would allow us to view the camera from outside our network (the internet), and from inside our network (without going out to the internet and then back again).

I could not figure out how to perform PAT from inside to inside.

The other alternative idea I had, was to create a seperate public subdomain for each camera (as there are not too many), but that means I would need to still perform some kind of inside to inside PAT, or change some of the cameras to not use port 80 (which I want to avoid).

Confused yet?  I hope I explained that well enough.

Any ideas on what and how I can accomplish this?
0
Comment
Question by:renfrey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39209745
I would create a remote access vpn for this. Depending on what types of devices are connecting in you may be required to configure anyconnect SSL VPN versus the Cisco IPSEC VPN. This way once they are connected they can just use the inside IP addresses like normal without any needs to have dozens of NAT statements.

The other option would be a "jump server" of sorts. Create a workstation/server and allow RDP to come in. From there the user can use the server on the inside to access cameras. This may or may not have a detrimental effect on camera viewing if that's what they're up to. I would suggest putting an ACL or some method of firewall on that server to restrict it's access to just the camera's so that if compromised it doesn't give a hacker full access to your inside network.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39220245
As long as you're not using the Zone-based Policy Firewall, you can use the NAT NVI functionality to accomplish this.

With a standard NAT configuration, you would have something like this:

interface FastEthernet0/0
 ip nat inside
!
interface FastEthernet0/1
 ip nat outside
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip nat inside source static tcp 172.16.0.10 80 interface FastEthernet0/1 80
ip nat inside source list NAT interface FastEthernet0/1 overload

This, unfortunately, won't let you connect to the Internet address of FastEthernet0/1 on 80/tcp due to the hairpinning restrictions of classic NAT.

If you switch to NVI, which looks more like this:

interface FastEthernet0/0
 ip nat enable
!
interface FastEthernet0/1
 ip nat enable
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip nat source static tcp 172.16.0.10 80 interface FastEthernet0/1 80
ip nat source list NAT interface FastEthernet0/1 overload

You can connect to the Internet address of FastEthernet0/1 on 80/tcp no matter which network you're on.
0
 

Author Closing Comment

by:renfrey
ID: 39235798
Although I figured this one out shortly before this post, this hit the nail right on the head.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month3 days, 17 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question