Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Conditional NAT - How-TO (ASA)

I am not sure if I need an NAT based access-list, route map, twice NAT, or an object based NAT. I've done some reading and I feel like ACL or route-map NAT is the way to go but am looking for guidance. 

My situation is:

  • ASA 5510 Active/Passive
  • Cisco Adaptive Security Appliance Software Version 8.4(7)31.
  • We own "" and we want all partners to continue to use ""
  • We have a partner with an application (Client_A)  that isn't compliant with modern SSL cert requirements. We want to redirect them to a site with our depreciated cert so we can move our other partners to the main site so we can upgrade their SSL cert. 
  • We would go with SNI on apache as a solution but the partner's software potentially won't work with that either. We need to handle this at the firewall and take control of the solution ourselves without adding more work for our developers, web team, etc. 
  • What we will have to do is have partner A access the same dns name and redirect them to another virtual site on another port on the same server as the remaining traffic (let's say port 7443 for Client A)
  • We want the remaining traffic to continue unchanged, to port 443, on the same server that client_A will hit
  • We are not asking the partner to make the change as it requires layers of approval found in giant organizations. We are small and agile and prefer to just force their traffic where we need to. We have all their source IP address ranges. 

So we have client_A (group of network IP ranges) and the rest of the world (any). 

I need something like:

access-list NAT_WWW extended permit tcp object-group client_A eq 443 host eq 7443

access-list NAT_WWW extended permit tcp any eq 443 host eq 443

static (inside,outside) NAT_WWW (however this gets worded)

Let's say the internal server is Where does that fit in to the picture?

Feel free to throw in other suggestions of how to do it with a workable example, either completing this method or demonstrating a different method. I've tried a few variations with a spare IP and a test internet connection and can't seem to get it right.

Everyone's tags (1)



you want to redirect traffic to specific server based on source ip?

i've answered a post quite similar but it was based on service port used. The minding is quite the same.

take a look on this post:

Do I understand well your issue?

let me know.


PS: Please don't forget to rate and mark as correct answer if this solved your issue

PS: Please don't forget to rate and select as validated answer if this answered your question
New Member



External_Partner_A to MY_External_IP eq 443 to Internal_Server_A eq 7443

Any to MY_EXTERNAL_IP eq 443 to Internal_Server_A eq 443

Make sense?