Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How do I NAT based on destination port while source port can be ANY

Goal - I want to forward Internet bound HTTP and HTTPS traffic  to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.

In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT

Here is a snap shot of the config:

object service Proxy_HTTP

service tcp destination eq www

object service Proxy_HTTPS

service tcp destination eq https

              

nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP

nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS

!

object network Non_Proxy

nat (any,outside) dynamic interface

PROBLEM: I need this behavior in 8.2.x  - I have found no way to mimic this.

You cannot use NAT Exemption as it cannot be port based

A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.

I don't see any of the other NAT Types working this way.

If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

1109
Views
0
Helpful
0
Replies
CreatePlease to create content