cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1136
Views
0
Helpful
8
Replies

How to route traffic based on destination port?

I have several devices that use round robin hard coded NTP servers that I need to accommodate on a network segment.  These devices do not behave correctly unless they can sync to an NTP server.  Since they are not using authenticated NTP, I'd like to re-route any traffic that matches NTP outbound from that network segment so that it is routed to say the nearest nist.gov NTP server, which I'd configure as a static destination IP for the route.

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

Hope you are looking to do this on ASA.

 

look at example : ( replace http with ntp)

 

https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I don't think that example alters the destination IP, only the path out of the ASA.

You looking based on the NTP protocol to route to Different Path right ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I want to rewrite the destination IP based on the destination port, not just change the next hop.

@balaji.bandi asked about what platform this questions deals with. And it is not clear what the platform is. But the function of changing the destination address of an IP packet is more the function of a proxy server than it is of a router or an ASA. I do not know of a way to achieve your objective on these platforms.

 

HTH

 

Rick

HTH

Rick

I'm trying to do this with a 5516-X running 9.12.2 FWIW.

 

I should add, I saw an example of someone routing to their own internal NTP server, but there they could define the next hop as that server so effectively rewriting the destination IP was not really required as it is for my example.

Thanks for the additional information. The title of the original post asked about routing traffic based on the destination port. And that is what @balaji.bandi addressed in his suggestion. However it is apparent that what you want to achieve is not to route differently but to change the destination address. As I said this is more the function of a proxy server than of a router or firewall. I do not know of a way to achieve changing the destination address of certain traffic on your 5516.

 

HTH

 

Rick

HTH

Rick

Hi there,

This sounds like something which could be achieved by using twice-NAT with port translation. 

 

In your scenario specifying we will specifying the source IP, destination IP and destination port, but will only be re-mapping the destination IP. Something like:

!
nat (inside,dmz) source static MyInsNet MyInsNet destination static Server1 <ALT_NTP_SERVER> service REAL_SRC_SVC REAL_SRC_SVC
!

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_rules.html#62600

 

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: