12-28-2011 12:30 AM - edited 03-11-2019 03:07 PM
Hello,
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible?
I'm using an ASA5510 but I could also switch to a 5505 for this.
Thanks,
Ruud van Strijp
12-28-2011 09:42 AM
Hello Ruud,
1-What version are you running?
2- So what you want to do is to use one public ip address to map internal users( on the same port)
Lets say you are using 8.2 and the inside users are 192.168.1.2- 192.168.1.3- 192.168.1.4 and the external ip address, the only one you have available is 6.6.6.6.
You need to access the servers on port 443.
So the configuration would be like this:
static (inside,outside) tcp 6.6.6.6 443 192.168.1.2 443
static (inside,outside) tcp 6.6.6.6 444 192.168.1.2 443
static (inside,outside) tcp 6.6.6.6 445192.168.1.2 443
access-list outside_in permit tcp any host 6.6.6.6 range 443 445
access-group outside_in in interface outside
Do please rate helpful posts,
Julio
12-28-2011 11:48 PM
Hello Julio. Thanks for your answer. Too bad port translation like this is not what I am looking for. The clients we use can only connect to a certain set of ports which we cannot change. So we cannot set the client up to connect to port 444 instead of 443, in your example.
We have customers using a hosted Terminal Server environment, all using different public IP addresses. We have a hosted Telephony solution that has no direct VPN connection to their TS environment. So, the CTI client will need to connect from their TS platform to our Telephony platform over public internet. However, they all use different servers on our side as well, and we'd like to use only one public IP address.
In the above situation, there is only one variable changing: The public IP address of the TS platform. So, if we could filter on source IP address (which would be the public IP address of the TS platform) and route based on this, we could run the whole environment with just one public IP address.
12-29-2011 02:55 AM
Thats not possible with Single IP. Translation does not work like that one Public IP can not listen on same ports to redirect traffic on diffrent ports. Also PBR is not supported on ASA so far.
Thanks
Ajay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide