Using Firewall to find and replace data in HTTP stream

Unanswered Question
Apr 10th, 2011

Hello,

I am working on an integration where we need to change the IP address inside of the application layer presented to the client through a NAT session. Basically the setup is as follows:

1. Client connects to web server NAT

2. Web Server presents HTTP code to client along with a list of camera names through Firewall NAT

3. Client requests video stream from camera in drop down list

4. Web Server sends the actual private URL for the video stream as an IP address inside of HTTP (thus we are not NATing this address). The client can not connect at this point since the IP address inside the HTTP application is not subject to the same NAT rule that the webserver actual IP address is subject to.

We need to NAT the IP address inside of the HTTP stream (it's text/javascript) - see below - I have highlighted the string I need to replace:

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Content-Type: text/javascript

Content-Length: 1520

Date: Sun, 10 Apr 2011 14:59:48 GMT

Camera&host=10.112.3.6&port=81&user=XXXX&password=XXXXXX&start

Can this be accomplished using regex with the HTTP inspection engine on the ASA?

Any thoughts?

The idea is to replace this private IP address and present the client a routable IP address on their side of the firewall which will then be NAT'd back to the actual camera IP on the inside interface of the firewall.

Our other option is to present a DNS name instead of an IP address but I wanted to find out if it was possible to accomplish a translation at Layer 7 with the firewall first.

Can a custom inspection be written to accomplish this?

Thanks

Mike Louis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jay Johnston Wed, 04/13/2011 - 08:54

Mike,

No, applying NAT translation on the HTTP protocol (in this case, the web camera system running over http) is not supported.

Here is a doc on using the ASA to manage http traffic through the ASA:

https://supportforums.cisco.com/docs/DOC-1268

For more information on how to configure the ASA to use regex to match or drop on traffic inspected in a HTTP stream, check out a podcast episode we did about blocking SQL injections within http streams; the show notes also contain configuration examples:

SQL injection prevention: https://supportforums.cisco.com/docs/DOC-14890

HTTP filtering episode  on ASA: https://supportforums.cisco.com/docs/DOC-12657

Sincerely,

     Jay

Actions

Login or Register to take actions

This Discussion

Posted April 10, 2011 at 8:08 AM
Stats:
Replies:1 Avg. Rating:
Views:301 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446