How do I NAT based on destination port while source port can be ANY

Unanswered Question
May 8th, 2012
User Badges:

Goal - I want to forward Internet bound HTTP and HTTPS traffic  to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.


In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT

Here is a snap shot of the config:


object service Proxy_HTTP

service tcp destination eq www

object service Proxy_HTTPS

service tcp destination eq https

              

nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP

nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS

!

object network Non_Proxy

nat (any,outside) dynamic interface


PROBLEM: I need this behavior in 8.2.x  - I have found no way to mimic this.

You cannot use NAT Exemption as it cannot be port based

A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.

I don't see any of the other NAT Types working this way.


If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion