The configuration of Cisco ASA firewalls follows the same rules as the Cisco router configuration, however the commands are slightly different.

Caution:

Source NAT (IP spoofing) is not supported in case of Cisco ASA firewalls.

This means that with Cisco ASA, you cannot spoof the source IP towards the destination servers, therefore the source of the connections will be SPS's IP address.

The following describes how to configure a Cisco ASA Firewall to redirect selected traffic to SPS instead of its original destination. This procedure should work on most modern Cisco ASA software releases, but was specifically tested on Cisco Adaptive Security Appliance Software Version 9.6(2)3

To configure a Cisco ASA Firewall to redirect selected traffic to SPS instead of its original destination

  1. Define network objects that match the subnets or hosts that you want to monitor:

    !Define SSH and RDP hosts/subnets as desired below
    object network SSHHosts
    subnet <SSHHosts Subnet IP> <SSHHosts Subnet Netmask>
    object-group network SSHtoSCB
    network-object object SSHHosts
    object network RDPHost
    host <RDPHost IP>
    object-group network RDPtoSCB
    network-object object RDPHost
    
  2. Create an ACL (Access Control List) entry that matches the objects above

    !Allow RDP and SSH and their reply packets to SCB
    access-list acl_pbr_ToSCB extended permit object rdp3389 any object-group RDPtoSCB
    access-list acl_pbr_ToSCB extended permit object rdp3389-response object-group RDPtoSCB any
    access-list acl_pbr_ToSCB extended permit object ssh22 any object-group SSHtoSCB
    access-list acl_pbr_ToSCB extended permit object ssh22-response object-group SSHtoSCB any

    Keep in mind that whatever is permitted by this ACL is what will be matched, so make sure that the scope of the ACL entry is narrowed down as much as possible.

    TIP:

    Cisco ACLs use inverse netmasks for defining network addresses. To calculate an inverse mask given a subnet mask, simply subtract each octet value from 255.

  3. Create a route-map entry. It controls which packets are affected by policy routing and where they should be forwarded to. The match commands specify the conditions under which policy routing occurs. The set commands specify the routing actions to perform if the criteria enforced by the match commands are met. A new route-map can be defined as follows:

    !Define routing to SCB
    route-map ToSCB permit
     match ip address acl_pbr_ToSCB
     set ip next-hop <SCB IP>
    

    Apply the route-map to the appropriate interfaces.

    !Set it on interface as needed
    interface <interface-facing-to-the-servers>
     ip policy route-map ToSCB
    
    Expected result:

    The traffic from the clients targeting the specified port of the servers is redirected to SPS. Therefore, SPS can be configured to control and audit this traffic.

    The full configuration for the above topology:

    !
    !Define SSH and RDP hosts/subnets as desired below
    object network SSHHosts
     subnet <SSHHosts Subnet IP> <SSHHosts Subnet Netmask>
    object-group network SSHtoSCB
     network-object object SSHHosts
    object network RDPHost
     host <RDPHost IP>
    object-group network RDPtoSCB
     network-object object RDPHost
    !
    !Allow RDP and SSH and their reply packets to SCB
    access-list acl_pbr_ToSCB extended permit object rdp3389 any object-group RDPtoSCB
    access-list acl_pbr_ToSCB extended permit object rdp3389-response object-group RDPtoSCB any
    access-list acl_pbr_ToSCB extended permit object ssh22 any object-group SSHtoSCB
    access-list acl_pbr_ToSCB extended permit object ssh22-response object-group SSHtoSCB any
    !
    !Define routing to SCB
    route-map ToSCB permit
     match ip address acl_pbr_ToSCB
     set ip next-hop <SCB IP>
    !
    !Set it on interface as needed
    interface <interface-facing-to-the-servers>
     ip policy route-map ToSCB