Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Firewall to find and replace data in HTTP stream


I am working on an integration where we need to change the IP address inside of the application layer presented to the client through a NAT session. Basically the setup is as follows:

1. Client connects to web server NAT

2. Web Server presents HTTP code to client along with a list of camera names through Firewall NAT

3. Client requests video stream from camera in drop down list

4. Web Server sends the actual private URL for the video stream as an IP address inside of HTTP (thus we are not NATing this address). The client can not connect at this point since the IP address inside the HTTP application is not subject to the same NAT rule that the webserver actual IP address is subject to.

We need to NAT the IP address inside of the HTTP stream (it's text/javascript) - see below - I have highlighted the string I need to replace:

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Content-Type: text/javascript

Content-Length: 1520

Date: Sun, 10 Apr 2011 14:59:48 GMT


Can this be accomplished using regex with the HTTP inspection engine on the ASA?

Any thoughts?

The idea is to replace this private IP address and present the client a routable IP address on their side of the firewall which will then be NAT'd back to the actual camera IP on the inside interface of the firewall.

Our other option is to present a DNS name instead of an IP address but I wanted to find out if it was possible to accomplish a translation at Layer 7 with the firewall first.

Can a custom inspection be written to accomplish this?


Mike Louis

Cisco Employee

Re: Using Firewall to find and replace data in HTTP stream


No, applying NAT translation on the HTTP protocol (in this case, the web camera system running over http) is not supported.

Here is a doc on using the ASA to manage http traffic through the ASA:

For more information on how to configure the ASA to use regex to match or drop on traffic inspected in a HTTP stream, check out a podcast episode we did about blocking SQL injections within http streams; the show notes also contain configuration examples:

SQL injection prevention:

HTTP filtering episode  on ASA: