Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1905
Views
0
Helpful
3
Replies

NAT Port Forward based on public source IP?

Ruud van Strijp
Level 1
Level 1

‎12-28-2011 12:30 AM - edited ‎03-11-2019 03:07 PM

Hello,

I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible?

I'm using an ASA5510 but I could also switch to a 5505 for this.

Thanks,

Ruud van Strijp

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-28-2011 09:42 AM

Hello Ruud,

1-What version are you running?

2- So what you want to do is to use one public ip address to map internal users( on the same port)

Lets say you are using 8.2 and the inside users are 192.168.1.2- 192.168.1.3- 192.168.1.4 and the external ip address, the only one you have available is 6.6.6.6.

You need to access the servers on port 443.

So the configuration would be like this:

static (inside,outside) tcp 6.6.6.6 443 192.168.1.2 443

static (inside,outside) tcp 6.6.6.6 444 192.168.1.2 443

static (inside,outside) tcp 6.6.6.6 445192.168.1.2 443

access-list outside_in permit tcp any host 6.6.6.6 range 443 445

access-group outside_in in interface outside

Do please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Ruud van Strijp
Level 1
Level 1
In response to Julio Carvajal

‎12-28-2011 11:48 PM

Hello Julio. Thanks for your answer. Too bad port translation like this is not what I am looking for. The clients we use can only connect to a certain set of ports which we cannot change. So we cannot set the client up to connect to port 444 instead of 443, in your example.

We have customers using a hosted Terminal Server environment, all using different public IP addresses. We have a hosted Telephony solution that has no direct VPN connection to their TS environment. So, the CTI client will need to connect from their TS platform to our Telephony platform over public internet. However, they all use different servers on our side as well, and we'd like to use only one public IP address.

In the above situation, there is only one variable changing: The public IP address of the TS platform. So, if we could filter on source IP address (which would be the public IP address of the TS platform) and route based on this, we could run the whole environment with just one public IP address.

0 Helpful

ajay chauhan
Level 7
Level 7
In response to Ruud van Strijp

‎12-29-2011 02:55 AM

Thats not possible with Single IP. Translation does not work like that one Public IP can not listen on same ports to redirect traffic on diffrent ports. Also PBR is not supported on ASA so far.

Thanks

Ajay

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card