Home / server / Questions / 609487
In Process
Andrey Sapegin
Asked: 2014-07-03 00:31:18 +0800 CST

Cisco ASA: port forwarding to different IP depending on client IP/subnet outside

  • 772

I have Cisco ASA 8.2(5) and would like to configure port forwarding.

Cisco ASA has 2 interfaces:

outside with IP 192.168.57.2
inside with IP 192.168.1.1

I have two subnets reachable through outside interface:

192.168.17.0/24
192.168.18.0/24

And two subnets reachable through inside interface:

192.168.14.0/24
192.168.15.0/24

Now I would like to setup port forwarding so, that the same port on outside interface of ASA is forwarded to different inside hosts, depending on subnet of the client outside:

  1. If client from one subnet connects from outside to ASA on port 4000 (from 192.168.17.124 to 192.168.57.2:4000), I want to forward it to 192.168.14.5:3389.
  2. If client from another subnet connects to the same port on outside interface of ASA (from 192.168.18.124 to 192.168.57.2:4000), I want to forward it to host in another subnet (192.168.15.5:3389).

Is such configuration possible? How could I configure it?

P.S. My current configuration just always forwards the port to the same IP, not depending on client subnet:

object-group service OpenedPorts tcp-udp
 port-object eq 4000
 port-object eq 4002
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp

access-list outside_access_in extended permit object-group TCPUDP any any object-group OpenedPorts

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 4000 192.168.14.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4002 192.168.14.6 22 netmask 255.255.255.255
cisco

2 Answers

  1. ASA added Policy Based Routing in 9.4(1), with a versatile list of settings you can apply to selected traffic:

    From release notes:

    Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

    We introduced the following commands: set ip next-hop verify-availability, set ip next-hop, set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route

    • 1

  2. It seems that you cannot do this on ASA.

    The feature to support this is called "Policy Based Routing". But according to the following link, Cisco support this feature only on routers, but not on ASA-Devices:

    https://supportforums.cisco.com/discussion/11215831/source-routingroute-maps-asa

    • 0