I am working on an integration where we need to change the IP address inside of the application layer presented to the client through a NAT session. Basically the setup is as follows:
1. Client connects to web server NAT
2. Web Server presents HTTP code to client along with a list of camera names through Firewall NAT
3. Client requests video stream from camera in drop down list
4. Web Server sends the actual private URL for the video stream as an IP address inside of HTTP (thus we are not NATing this address). The client can not connect at this point since the IP address inside the HTTP application is not subject to the same NAT rule that the webserver actual IP address is subject to.
Can this be accomplished using regex with the HTTP inspection engine on the ASA?
The idea is to replace this private IP address and present the client a routable IP address on their side of the firewall which will then be NAT'd back to the actual camera IP on the inside interface of the firewall.
Our other option is to present a DNS name instead of an IP address but I wanted to find out if it was possible to accomplish a translation at Layer 7 with the firewall first.
Can a custom inspection be written to accomplish this?
For more information on how to configure the ASA to use regex to match or drop on traffic inspected in a HTTP stream, check out a podcast episode we did about blocking SQL injections within http streams; the show notes also contain configuration examples: