cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


204
Views
0
Helpful
8
Replies
Highlighted

How to route traffic based on destination port?

I have several devices that use round robin hard coded NTP servers that I need to accommodate on a network segment.  These devices do not behave correctly unless they can sync to an NTP server.  Since they are not using authenticated NTP, I'd like to re-route any traffic that matches NTP outbound from that network segment so that it is routed to say the nearest nist.gov NTP server, which I'd configure as a static destination IP for the route.

8 REPLIES 8
VIP Advisor

Re: How to route traffic based on destination port?

Hope you are looking to do this on ASA.

 

look at example : ( replace http with ntp)

 

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

BB
*** Rate All Helpful Responses ***

Re: How to route traffic based on destination port?

I don't think that example alters the destination IP, only the path out of the ASA.

VIP Advisor

Re: How to route traffic based on destination port?

You looking based on the NTP protocol to route to Different Path right ?

BB
*** Rate All Helpful Responses ***

Re: How to route traffic based on destination port?

I want to rewrite the destination IP based on the destination port, not just change the next hop.

Hall of Fame Master

Re: How to route traffic based on destination port?

@balaji.bandi asked about what platform this questions deals with. And it is not clear what the platform is. But the function of changing the destination address of an IP packet is more the function of a proxy server than it is of a router or an ASA. I do not know of a way to achieve your objective on these platforms.

 

HTH

 

Rick

Re: How to route traffic based on destination port?

I'm trying to do this with a 5516-X running 9.12.2 FWIW.

 

I should add, I saw an example of someone routing to their own internal NTP server, but there they could define the next hop as that server so effectively rewriting the destination IP was not really required as it is for my example.

Hall of Fame Master

Re: How to route traffic based on destination port?

Thanks for the additional information. The title of the original post asked about routing traffic based on the destination port. And that is what @balaji.bandi addressed in his suggestion. However it is apparent that what you want to achieve is not to route differently but to change the destination address. As I said this is more the function of a proxy server than of a router or firewall. I do not know of a way to achieve changing the destination address of certain traffic on your 5516.

 

HTH

 

Rick

VIP Advisor

Re: How to route traffic based on destination port?

Hi there,

This sounds like something which could be achieved by using twice-NAT with port translation. 

 

In your scenario specifying we will specifying the source IP, destination IP and destination port, but will only be re-mapping the destination IP. Something like:

!
nat (inside,dmz) source static MyInsNet MyInsNet destination static Server1 <ALT_NTP_SERVER> service REAL_SRC_SVC REAL_SRC_SVC
!

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_rules.html#62600

 

cheers,

Seb.