Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT Port Forward based on public source IP?

Hello,

I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible?

I'm using an ASA5510 but I could also switch to a 5505 for this.

Thanks,

Ruud van Strijp

3 REPLIES

NAT Port Forward based on public source IP?

Hello Ruud,

1-What version are you running?

2- So what you want to do is to use one public ip address to map internal users( on the same port)

Lets say you are using 8.2 and the inside users are 192.168.1.2- 192.168.1.3- 192.168.1.4 and the external ip address, the only one you have available is 6.6.6.6.

You need to access the servers on port 443.

So the configuration would be like this:

static (inside,outside) tcp 6.6.6.6 443 192.168.1.2 443

static (inside,outside) tcp 6.6.6.6 444 192.168.1.2 443

static (inside,outside) tcp 6.6.6.6 445192.168.1.2 443

access-list outside_in permit tcp any host 6.6.6.6 range 443 445

access-group outside_in in interface outside

Do please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

NAT Port Forward based on public source IP?

Hello Julio. Thanks for your answer. Too bad port translation like this is not what I am looking for. The clients we use can only connect to a certain set of ports which we cannot change. So we cannot set the client up to connect to port 444 instead of 443, in your example.

We have customers using a hosted Terminal Server environment, all using different public IP addresses. We have a hosted Telephony solution that has no direct VPN connection to their TS environment. So, the CTI client will need to connect from their TS platform to our Telephony platform over public internet. However, they all use different servers on our side as well, and we'd like to use only one public IP address.

In the above situation, there is only one variable changing: The public IP address of the TS platform. So, if we could filter on source IP address (which would be the public IP address of the TS platform) and route based on this, we could run the whole environment with just one public IP address.

NAT Port Forward based on public source IP?

Thats not possible with Single IP. Translation does not work like that one Public IP can not listen on same ports to redirect traffic on diffrent ports. Also PBR is not supported on ASA so far.

Thanks

Ajay

1474
Views
0
Helpful
3
Replies
CreatePlease to create content