Goal - I want to forward Internet bound HTTP and HTTPS traffic to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
Here is a snap shot of the config:
object service Proxy_HTTP
service tcp destination eq www
object service Proxy_HTTPS
service tcp destination eq https
nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
object network Non_Proxy
nat (any,outside) dynamic interface
PROBLEM: I need this behavior in 8.2.x - I have found no way to mimic this.
You cannot use NAT Exemption as it cannot be port based
A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
I don't see any of the other NAT Types working this way.
If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.