Can you post complete show run to understand better

version 17.8
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname C1111-8P
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.08.01a.SPA.bin
boot-end-marker
!
!
ip name-server 192.168.1.21
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.50.1
ip dhcp excluded-address 192.168.100.1
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool 192.168.10.0
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1 
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool 192.168.1.0
 network 192.168.1.192 255.255.255.192
 default-router 192.168.1.254 
 dns-server 192.168.1.21 
!
ip dhcp pool 192.168.50.0
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1 
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool 192.168.100.0
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1 
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool PC
 host 192.168.1.10 255.255.255.0
 client-identifier [MAC]
 dns-server 192.168.1.21 
 default-router 192.168.1.254 
!
ip dhcp pool Box-TV
 host 192.168.1.3 255.255.255.0
 client-identifier [MAC]
 default-router 192.168.1.254 
 dns-server 192.168.1.21 
!
ip dhcp pool Barebone-RJ45
 host 192.168.1.21 255.255.255.0
 hardware-address [MAC]
 default-router 192.168.1.254 
 dns-server 192.168.1.21 
!
!
login block-for 60 attempts 3 within 60
login on-failure log
login on-success log
!
subscriber templating
! 
multilink bundle-name authenticated
!
access-session mac-move deny
!
!
no license feature hseck9
license udi pid C1111-8P sn [XXXX]
license boot suite FoundationSuiteK9
license boot level uck9
memory free low-watermark processor 71830
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template webauth-global-inactive
 inactivity-timer 3600 
et-analytics
!
redundancy
 mode none
!
vlan internal allocation policy ascending
!
zone security lan
zone security wan
! 
bridge irb
!
interface GigabitEthernet0/0/1
 ip dhcp client class-id ISP_ID
 ip address dhcp
 ip nat outside
 ip access-group WAN-FIREWALL in
 media-type rj45
 negotiation auto
 spanning-tree portfast
!
interface GigabitEthernet0/1/0
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/1
 switchport mode access
!
interface GigabitEthernet0/1/2
 switchport mode access
!
interface GigabitEthernet0/1/3
 switchport mode access
!
interface GigabitEthernet0/1/4
 switchport mode access
!
interface GigabitEthernet0/1/5
 switchport mode access
!
interface GigabitEthernet0/1/6
 switchport mode access
!
interface GigabitEthernet0/1/7
 switchport mode access
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip dns view-group internallist
 ip nat inside
 ip policy route-map route-map-stb-http-redirect
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
!
ip http server
ip http port 7080
ip http authentication aaa login-authentication radius-login
ip http authentication aaa exec-authorization exec-radius
ip http secure-server
ip http secure-port 7443
ip http secure-trustpoint TP-self-signed-2992429872
ip forward-protocol nd
ip dns view internal
 domain name 8.8.8.8
ip dns view-list internallist
 view internal 1
ip dns server
ip dns spoofing
ip nat inside source static tcp 192.168.1.21 443 interface GigabitEthernet0/0/1 443
ip nat inside source list 10 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp
!
!
ip access-list extended WAN-FIREWALL
 10 deny ip 74.82.47.0 0.0.0.255 any
 20 deny ip 154.0.0.0 0.255.255.255 any
 30 deny ip 192.241.0.0 0.0.255.255 any
 40 deny ip 109.161.0.0 0.0.255.255 any
 50 deny ip 103.0.0.0 0.255.255.255 any
 60 deny ip 110.0.0.0 0.255.255.255 any
 70 deny ip 142.93.0.0 0.0.255.255 any
 80 deny ip 179.43.0.0 0.0.255.255 any
 90 deny ip 180.0.0.0 0.255.255.255 any
 100 deny ip 181.0.0.0 0.255.255.255 any
 110 deny ip 185.7.0.0 0.0.255.255 any
 120 deny ip 183.0.0.0 0.255.255.255 any
 130 deny ip 193.201.0.0 0.0.255.255 any
 140 deny ip 59.0.0.0 0.255.255.255 any
 150 deny ip 45.95.147.0 0.0.0.255 any
 160 deny ip 138.99.216.0 0.0.0.255 any
 170 deny ip 89.248.165.0 0.0.0.255 any
 180 deny ip 216.245.221.0 0.0.0.255 any
 190 deny ip 218.221.77.0 0.0.0.255 any
 200 deny ip 69.162.124.0 0.0.0.255 any
 210 deny ip 92.63.197.0 0.0.0.255 any
 220 deny ip 80.94.92.0 0.0.0.255 any
 230 deny ip 2.57.122.0 0.0.0.255 any
 240 deny ip 31.192.111.0 0.0.0.255 any
 250 deny ip 36.48.29.0 0.0.0.255 any
 260 deny ip 14.49.248.0 0.0.0.255 any
 270 deny ip 42.192.234.0 0.0.0.255 any
 280 deny ip 45.61.185.0 0.0.0.255 any
 290 deny ip 45.148.10.0 0.0.0.255 any
 300 deny ip 51.38.12.22 0.0.0.1 any
 310 deny ip 61.81.35.0 0.0.0.255 any
 320 deny ip 79.44.44.0 0.0.0.255 any
 330 deny ip 93.144.17.0 0.0.0.255 any
 340 deny ip 96.44.143.0 0.0.0.255 any
 350 deny ip 113.246.116.0 0.0.0.255 any
 360 deny ip 114.35.127.0 0.0.0.255 any
 370 deny ip 118.217.7.0 0.0.0.255 any
 380 deny ip 118.201.230.0 0.0.0.255 any
 390 deny ip 121.190.147.0 0.0.0.255 any
 400 deny ip 121.151.75.0 0.0.0.255 any
 410 deny ip 121.162.66.0 0.0.0.255 any
 420 deny ip 125.41.223.0 0.0.0.255 any
 430 deny ip 125.229.110.0 0.0.0.255 any
 440 deny ip 131.159.24.0 0.0.0.255 any
 450 deny ip 141.98.9.0 0.0.0.255 any
 460 deny ip 162.142.125.0 0.0.0.255 any
 470 deny ip 185.167.93.0 0.0.0.255 any
 480 deny ip 185.173.35.0 0.0.0.255 any
 490 deny ip 186.127.193.0 0.0.0.255 any
 500 deny ip 194.195.243.0 0.0.0.255 any
 510 deny ip 217.66.217.0 0.0.0.255 any
 530 permit tcp any any eq 443 log
 540 permit tcp any any eq 51820 log
 550 deny tcp any any eq www log
 560 deny tcp any any eq telnet log
 570 deny tcp any any eq 7080 log
 580 deny tcp any any eq domain log
 590 deny tcp any any eq 7443 log
 600 deny tcp any any eq 22 log
 610 permit ip any any
!
logging host 192.168.1.21
ip access-list standard 5
 10 permit 0.0.0.0 255.255.255.0
ip access-list standard 10
 200 permit 192.168.1.10
 230 permit 192.168.1.3
 280 permit 192.168.1.21
ip access-list extended 177
 10 permit tcp host 192.168.1.10 host 192.168.1.254 eq www log
access-list dynamic-extended
!
route-map route-map-stb-http-redirect permit 10 
 match ip address 177
 set ip default next-hop 192.168.1.21
!
snmp-server manager
!
!
control-plane
!
!
line con 0
 transport input none
 stopbits 1
 speed 115200
line vty 0 4
 authorization exec exec-radius
 accounting exec exec-radius
 login authentication radius-login
 length 0
 transport input ssh
line vty 5 15
 authorization exec exec-radius
 accounting exec exec-radius
 login authentication radius-login
 transport input ssh
!
end

The ISP has a Router and STB.
I replaced the ISP Router by a CISCO one.
The STB (192.168.1.3) needs to call a web service (port 80) at the gateway (192.168.1.254) in order to work.
As the gateway is now the CISCO router, it can not deliver on port 80 (192.168.1.254), the static content, so I have hosted it on a web server (192.168.1.21). Now I just need to route calls from 192.168.1.3 to 192.168.1.254:80 => 192.168.1.21:80 only. The rest will be routed normally in order to gain access to Internet.