Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT Port Forward based on public source IP?


I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server Is this possible?

I'm using an ASA5510 but I could also switch to a 5505 for this.


Ruud van Strijp


NAT Port Forward based on public source IP?

Hello Ruud,

1-What version are you running?

2- So what you want to do is to use one public ip address to map internal users( on the same port)

Lets say you are using 8.2 and the inside users are and the external ip address, the only one you have available is

You need to access the servers on port 443.

So the configuration would be like this:

static (inside,outside) tcp 443 443

static (inside,outside) tcp 444 443

static (inside,outside) tcp 445192.168.1.2 443

access-list outside_in permit tcp any host range 443 445

access-group outside_in in interface outside

Do please rate helpful posts,


Julio Carvajal
Senior Network Security and Core Specialist
Community Member

NAT Port Forward based on public source IP?

Hello Julio. Thanks for your answer. Too bad port translation like this is not what I am looking for. The clients we use can only connect to a certain set of ports which we cannot change. So we cannot set the client up to connect to port 444 instead of 443, in your example.

We have customers using a hosted Terminal Server environment, all using different public IP addresses. We have a hosted Telephony solution that has no direct VPN connection to their TS environment. So, the CTI client will need to connect from their TS platform to our Telephony platform over public internet. However, they all use different servers on our side as well, and we'd like to use only one public IP address.

In the above situation, there is only one variable changing: The public IP address of the TS platform. So, if we could filter on source IP address (which would be the public IP address of the TS platform) and route based on this, we could run the whole environment with just one public IP address.

NAT Port Forward based on public source IP?

Thats not possible with Single IP. Translation does not work like that one Public IP can not listen on same ports to redirect traffic on diffrent ports. Also PBR is not supported on ASA so far.



CreatePlease to create content