Solved

PAT/NAT to various internal webservers from internet AND internal

Posted on 2013-05-30
3
374 Views
Last Modified: 2013-06-10
I've been boggling my head over the best way to accomplish this and how to accomplish it using the best way!  LOL

Here is what I have:

2 internal networks
- USERNET (all of our regular users, all within a windows domain)
- CAMNET (seperate network for security cameras and NVR, with a basic server on its own domain)

Both networks are behind a Cisco 1941 router, which is our gateway and router (for phone system and VPNs).  The 1941 connects to our internet, with a static IP. (I'll call this OFFICE.STATIC.IP)

We also have a public domain as well, of which is not hosted within.

Problem:
The security camera NVR has its own software to access it from a pc.  Doing this from inside or outside our networks is easy enough, and no problem.  However, the NVR does not have any portable device app to access it (eg. from iPhone, Android, etc.), and there are currently no 3rd party apps available to connect to the NVR.

As such, we have to use 3rd party apps to connect to each camera, individually.

Connecting the app to each camera from within out internal network, using each camera's ip address, is no issue at all.

I need to create a fairly simple method of connecting to each camera from outside of our internal network (the internet) AND from inside, without having 2 entries for each camera in the app (eg. Don't want the app to show "CAMERA 1" with ip camnet:80 and "CAMERA 1 from internet" with ip externalip:12000........(the 1941 would PAT port 12000 to camera1 ip, port 80))

My initial thought and attempt, was creating a sub domain under our public domain.

(cameras.company.com)

And setting the public DNS records to point cameras.company.com to OFFICE.STATIC.IP (the public static IP of our Cisco 1941 router)

From externally (the internet), I would just give each camera it's own port number, and have the 1941 router PAT the incoming connections to the corresponding camera.

eg. (10.0.0.0 is a fake internal network to mimic our camera network)
cameras.company.com:12000 --->1941 PAT--->10.0.0.2:80
cameras.company.com:12001--->1941 PAT--->10.0.0.3:80

Then on the internal side of things, using our Windows 2003 DC (running DNS for inside) have the DNS server resolve cameras.company.com, so that we could use a single address for each camera, that would allow us to view the camera from outside our network (the internet), and from inside our network (without going out to the internet and then back again).

I could not figure out how to perform PAT from inside to inside.

The other alternative idea I had, was to create a seperate public subdomain for each camera (as there are not too many), but that means I would need to still perform some kind of inside to inside PAT, or change some of the cameras to not use port 80 (which I want to avoid).

Confused yet?  I hope I explained that well enough.

Any ideas on what and how I can accomplish this?
0
Comment
Question by:renfrey
3 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39209745
I would create a remote access vpn for this. Depending on what types of devices are connecting in you may be required to configure anyconnect SSL VPN versus the Cisco IPSEC VPN. This way once they are connected they can just use the inside IP addresses like normal without any needs to have dozens of NAT statements.

The other option would be a "jump server" of sorts. Create a workstation/server and allow RDP to come in. From there the user can use the server on the inside to access cameras. This may or may not have a detrimental effect on camera viewing if that's what they're up to. I would suggest putting an ACL or some method of firewall on that server to restrict it's access to just the camera's so that if compromised it doesn't give a hacker full access to your inside network.
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
ID: 39220245
As long as you're not using the Zone-based Policy Firewall, you can use the NAT NVI functionality to accomplish this.

With a standard NAT configuration, you would have something like this:

interface FastEthernet0/0
 ip nat inside
!
interface FastEthernet0/1
 ip nat outside
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip nat inside source static tcp 172.16.0.10 80 interface FastEthernet0/1 80
ip nat inside source list NAT interface FastEthernet0/1 overload

This, unfortunately, won't let you connect to the Internet address of FastEthernet0/1 on 80/tcp due to the hairpinning restrictions of classic NAT.

If you switch to NVI, which looks more like this:

interface FastEthernet0/0
 ip nat enable
!
interface FastEthernet0/1
 ip nat enable
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip nat source static tcp 172.16.0.10 80 interface FastEthernet0/1 80
ip nat source list NAT interface FastEthernet0/1 overload

You can connect to the Internet address of FastEthernet0/1 on 80/tcp no matter which network you're on.
0
 

Author Closing Comment

by:renfrey
ID: 39235798
Although I figured this one out shortly before this post, this hit the nail right on the head.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now