×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT Port Forward based on public source IP?

Unanswered Question
Dec 28th, 2011
User Badges:

Hello,


I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible?

I'm using an ASA5510 but I could also switch to a 5505 for this.


Thanks,

Ruud van Strijp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Wed, 12/28/2011 - 09:42
User Badges:
  • Purple, 4500 points or more

Hello Ruud,


1-What version are you running?

2- So what you want to do is to use one public ip address to map internal users( on the same port)


Lets say you are using 8.2 and the inside users are 192.168.1.2- 192.168.1.3- 192.168.1.4 and the external ip address, the only one you have available is 6.6.6.6.

You need to access the servers on port 443.

So the configuration would be like this:


static (inside,outside) tcp 6.6.6.6 443 192.168.1.2 443

static (inside,outside) tcp 6.6.6.6 444 192.168.1.2 443

static (inside,outside) tcp 6.6.6.6 445192.168.1.2 443


access-list outside_in permit tcp any host 6.6.6.6 range 443 445


access-group outside_in in interface outside


Do please rate helpful posts,


Julio

Ruud van Strijp Wed, 12/28/2011 - 23:48
User Badges:

Hello Julio. Thanks for your answer. Too bad port translation like this is not what I am looking for. The clients we use can only connect to a certain set of ports which we cannot change. So we cannot set the client up to connect to port 444 instead of 443, in your example.


We have customers using a hosted Terminal Server environment, all using different public IP addresses. We have a hosted Telephony solution that has no direct VPN connection to their TS environment. So, the CTI client will need to connect from their TS platform to our Telephony platform over public internet. However, they all use different servers on our side as well, and we'd like to use only one public IP address.


In the above situation, there is only one variable changing: The public IP address of the TS platform. So, if we could filter on source IP address (which would be the public IP address of the TS platform) and route based on this, we could run the whole environment with just one public IP address.

ajay chauhan Thu, 12/29/2011 - 02:55
User Badges:
  • Silver, 250 points or more

Thats not possible with Single IP. Translation does not work like that one Public IP can not listen on same ports to redirect traffic on diffrent ports. Also PBR is not supported on ASA so far.


Thanks

Ajay

Actions

This Discussion