07-12-2019 03:17 PM
I have several devices that use round robin hard coded NTP servers that I need to accommodate on a network segment. These devices do not behave correctly unless they can sync to an NTP server. Since they are not using authenticated NTP, I'd like to re-route any traffic that matches NTP outbound from that network segment so that it is routed to say the nearest nist.gov NTP server, which I'd configure as a static destination IP for the route.
07-12-2019 03:35 PM
Hope you are looking to do this on ASA.
look at example : ( replace http with ntp)
https://www.networkstraining.com/cisco-asa-policy-based-routing-pbr/
07-12-2019 03:37 PM
I don't think that example alters the destination IP, only the path out of the ASA.
07-12-2019 03:48 PM
You looking based on the NTP protocol to route to Different Path right ?
07-12-2019 03:49 PM
I want to rewrite the destination IP based on the destination port, not just change the next hop.
07-13-2019 08:29 AM
@balaji.bandi asked about what platform this questions deals with. And it is not clear what the platform is. But the function of changing the destination address of an IP packet is more the function of a proxy server than it is of a router or an ASA. I do not know of a way to achieve your objective on these platforms.
HTH
Rick
07-13-2019 11:10 AM - edited 07-13-2019 11:16 AM
I'm trying to do this with a 5516-X running 9.12.2 FWIW.
I should add, I saw an example of someone routing to their own internal NTP server, but there they could define the next hop as that server so effectively rewriting the destination IP was not really required as it is for my example.
07-13-2019 12:07 PM
Thanks for the additional information. The title of the original post asked about routing traffic based on the destination port. And that is what @balaji.bandi addressed in his suggestion. However it is apparent that what you want to achieve is not to route differently but to change the destination address. As I said this is more the function of a proxy server than of a router or firewall. I do not know of a way to achieve changing the destination address of certain traffic on your 5516.
HTH
Rick
07-15-2019 12:07 AM
Hi there,
This sounds like something which could be achieved by using twice-NAT with port translation.
In your scenario specifying we will specifying the source IP, destination IP and destination port, but will only be re-mapping the destination IP. Something like:
! nat (inside,dmz) source static MyInsNet MyInsNet destination static Server1 <ALT_NTP_SERVER> service REAL_SRC_SVC REAL_SRC_SVC !
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide