Showing results for 
Search instead for 
Did you mean: 

Curious if I need Port Forwarding on a Switch running (2) PBR’s




I have a SG500X with 2 PBR’s. 
LAN use GE 1/1 for Internet Access

LAN use GE 1/2 for Internet Access.

  LAN Subnet, regardless of their Internet access communicate via same Subnet.


GE 1/1 on SG500X connects to GE 1/2 on an FPR1010 which has a Subnet and has a WAN of x.x.x.182.

So, anything on SG500X will route to which will route to x.x.x.182 for Internet. 

Being that Host would actually be on the 2nd PBR ( for Internet access, it’s still on the that also shares PBR 1 ( Can I create a NAT on the FPR then a Port Forward on the Switch?

So for example, I want to SSH in to x.x.x.182 Port 66 and create a NAT /ACL to redirect that Port 66 to and then on the FPR, being is non the PBR2, create a Port Forward to that IP?


I have created NAT and ACL in every fashion to allow (outside) to SSH to x.x.x.182 which would NAT to (I even tried to NAT to and also added a static route to via but nothing I do allows me to connect.

Am I right to assume it is because the is on PBR2 and not PBR1, which leads back to x.x.x.182, and therefore has to INCOMING path to it?

So I was wondering if on SG500X I would need to make a port forward “incoming port 66 ssh goes to”


Hopefully what I am attempting makes sense enough to get some guidance. 




Jon Marshall
VIP Community Legend VIP Community Legend
VIP Community Legend


The issue will be the return traffic because that will go via the g1/2 interface and so be translated to a different public IP presumably. 


So either move to the PBR 1 configuration or setup the SSH to using the other public IP. 





Makes sense.

I do not have the option of SSH into the other PBR(2) as it is running through offsite VPN and that just won’t work so I may do as you say, move the to the PBR1 range, OR, there are 4 NIC’s on the Host; I wonder if I could leave all as is but add, to the 2nd NIC, an IP from PBR 1 exclusively for the SSH purpose. 

I’ll let ya know. Thank you. 

One silly question… Because I have tried so many variations of NAT and ACL’s to no avail before I have come to realize it wouldn’t work due to the reverse traffic as you mentioned  and cross PBR functionality, I may have confused myself on the NAT on the FPR.

Would I create a NAT on Port 66 from outside/wan to (because is part of its network) or would I do NAT Port 66 from outside/wan to (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route


Hello @TheGoob ,

the switch is not able to perfrom any NAT or Port forwarding action.


So you need on the FP1010 to create a static NAT that will translate directly to internal IP address  TCP 22 to outside interface TCP 66.


>> or would I do NAT Port 66 from outside/wan to (because the FPR has a static route to it and therefore would automatically know how/where to find .25) (If that were the new IP of the Host)). As I mentioned there is a route


The second option is the only way to make it work the switch is not able to perform any NAT.


Hope to help



I am curious about your response... You are suggesting Internal Port 22 to Outside Port 66, but I actually changed my Internal Port to 66 from 22.. I am mentioning this because I was wondering if that changes any communication of understanding for the FPR. Is it not common practice to change the Hosts Port as I did? 

My idea was being I have 5 devices and instead of having everything on Port 25 and changing outside port to just have every Host have its own unique Internal/outside (same) port. 

Well I am going to put this to rest, without success.


GE 1/1 - x.x.x.182

GE 1/2 -

     -- All 192.168.1.x are WAN x.x.x.182

GE 1/2 connects to SG500X GE 1/1.



GE 1/1 L3

GE 1/2- 1/12 - PBR to via GE 1/1

Everything works fine.


I have a device running SSH on Port 66 on

Every other device on can SSH Port 66 into it.

No matter what I do, I can not get anything WAN side to connect to Port 66. 

I have tried every variation of ACL and NAT. I've done NO ACL and NAT. NO NAT and ACL. And both ACL and NAT with different variations. Internal Port 66 and External Port 66. Not using any forwarding from 66 (wan) to 22 (inside). Just 66 in and out.


MHM Cisco World

I dont full understand your requirement BUT 
route-map SSH-ACCESS permit 
match ip address 100
set ip next-hop
here the ACL will not be IP but L4 TCP port 66, 
this make only traffic from TCP port 66 as source PBR and other traffic for same traffic take other path via RIB or PBR.



Unless your intentions also assumed I would know how to "fill the blank", I find your answer confusing. 

route-map SSH-ACCESS permit 
match ip address 100
set ip next-hop

What part of that implies Port 66 for my [source] and destination SSH Port on device understand the name SSH-ACCESS permit to "allow" it but what is the 'math ip address 100'? I am unsure what 100 means? As far as 'ip next-hop' does this refer to "incoming" as in it would be

I DO understand your next comment about adding it to the TOP of the PBR's.


Here is a picture to hopefully make more sense. 




ip access-list extended 100
permit tcp host<   > host<   > eq 22

Forgive my slow thinking...

Would I translate that to;


route-map SSH-ACCESS permit
match ip address 100
set ip (the IP pointed towards the FPR1010 from the SG500X?)

ip access-list extended 100
permit tcp host host eq 22


Man I just do not know why I am having a mental issue over comprehending this.

Dont say that, ALL some time need help.
and Yes your config if perfect.
this make only traffic for SSH go to FPR
other traffic with same subnet will go to other GW <<- here you need to add another PBR line 

route-map SSH-ACCESS permit 10
route-map SSH-ACCESS permit 20 
match ip address <ACL of other traffic>
set ip next-hop <IP ADD>

Beautigul, thankyou.


I do indeed currently have a PBR1 that does tell to use it [] as it's Internet  Gateway which communicates back to the FPR. 

I will give this a shot tonight if I get home early enough or tomorrow and keep you updated.


Thank you

MHM Cisco World

ONE important point, 
if you add PBR line after any line that have ACL permit the same subnet then this PBR will never check by SW, you need to add it in top of PBR.


I have not gotten around to doing this yet due to work. I did have an in between indirect question.

why is it that no device on the can connect to (ST500X)) unless I remove the Gateway. On my PC, no matter what IP I use, I can not connect to unless I remove my PC/Host Gateway. If I leave it I can then connect to

Oddly enough, with a Gateway, I can connect to (FPR1010) that the SG500X Connects to. How is that even possible. I’d love to be able to configure my SG500X from my PC losing my gateway and therefore Internet as well.

I assume it is because the uses PBR to for Internet access, maybe disabling my ability to do so? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: