Thanks for the response. Let me try this in my lab in a day or two before configuring them on LIVE. But as mentioned, any other traffic if client is hitting

192.168.1.1:80, it should be forwarding to a different server say 192.168.3.1:80 or may be i can use it on some other server to re-direct. That should also work.

Let me know if that too is possible

If port port 21 port forwarding rule is applied, there will be no change in the existing access-list on the vpn tunnel (which  is already in place) as this rule will forward only when it receives port  21 traffic from the client isn't?

or

any change required in the access-list?

ie.

while my existing configuration (which you have suggested) is in place, Client ----> 192.168.1.1:21 ----> 192.168.2.1:21

when i do port forwarding on the same server using different port say port 80 (as mentioned below) should also work

Client -----> 192.168.1.1:80 (this will open the web page on this server itself without re-directing to any other)

or

Client -----> 192.168.1.1:80 -----> 192.168.3.1:80 (which has to re-direct to any other server)

Yes.

You can use port forwarding to define other ports using the same IP as you mentioned.

For this to work is because you are doing NAT through the tunnel... meaning the access-list for VPN is directed to the NAT IP.

Federico.

Thanks. Could you just provide me a sample configuration of the access-list which i need to use on the vpn tunnel or any other configuration required for port forwarding?

Below is my vpn configuration in addition to your suggested port forwarding configuration (PAT) for your understand of my current configuration.

interface GigabitEthernet0/0
description OUTSIDE INTERFACE
speed 100
duplex full
nameif outside
security-level 0
ip address 124.123.122.254 255.255.255.0

interface GigabitEthernet0/1
description INSIDE INTERFACE
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0

access-list VPN-CLIENT extended permit ip host 192.168.1.1 host 172.16.1.1

access-list NONAT extended permit ip host 192.168.1.1 host 172.16.1.1

access-list in2out extended permit ip any any

static (inside,outside) tcp 192.168.1.1 21 192.168.2.1 21

global (outside) 1 124.123.122.1 netmask 255.255.255.255

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

access-group out2in in interface outside

access-group in2out in interface inside

Client IP - 172.16.1.1

My Server - 192.168.1.1

My FTP Server ip - 192.168.2.1

The problem that I see is the following:

Client IP - 172.16.1.1

My Server - 192.168.1.1

My FTP Server ip - 192.168.2.1

The ASA will receive the VPN traffic from 172.16.1.1

The ASA have a NAT exemption rule to forward the traffic to 192.168.1.1

After the ASA forwards the packets to 192.168.1.1, the ASA is not going to manipulate the packets again to be able to redirect the packets to 192.168.2.1

ie.

If the ASA receives a packet on its outside interface, it can redirect those packets to an internal IP using port forwarding.

The difference here is that you're telling the ASA to send the packets to a host already on the inside 192.168.1.1 and the redirect those packets again.

Federico.

Does it mean that it will work only when i have 192.168.2.1 server on the DMZ port on the same ASA?