To my understanding the ASA does not have any configuration option directly to do a Static PAT/Static NAT that ignores a certain port.
I would personally suggest simply doing Static PAT for each service that is needed. I would imagine that there are not that many services running on a single host that it would be impossible to do.
I guess if you wanted to try forward all but the port TCP/443 then you would have to make a configuration that includes all but that port.
I do have to say that I just managed to make my home ASA unresponsive while adding this configurations so I am wondering it ran out of memory (old ASA5505) or something :)
EDIT: It might also be the fact that it reserves almost all the ports to the ASA so I would advice against using it in its current form. For example if you have SSH configured on the ASA it might cause problems with that also. If it even accepts the configuration at all
object service TCP-1-442 service tcp source range 1 442
object service TCP-444-65534 service tcp source range 444 65534
object network DMZ-SERVER host x.x.x.x
nat (dmz,outside) source static DMZ-SERVER interface service TCP-1-442 TCP-1-442 nat (dmz,outside) source static DMZ-SERVER interface service TCP-444-65534 TCP-444-65534
Though now that I am thinking the above configuration setup, would this not eat up all your ports related to PAT translations? I am not sure how the ASA would react to using this configuration (or if it would even be able to reserve the ports) if any of your internal hosts wanted to connect to the public network. I would imagine that their connections might start getting dropped after entering this configuration.
So as I said I would consider just doing Static PAT for the TCP/UDP ports that you actually need since I cant really see the above configuration being feasible. Maybe shouldnt have even included it in the post :)
For Static PAT you can use the following configuration format as an example for the ports/services needed.
Just like to mention this with a separate post/reply
I would suggest going with separate Static PAT configurations rather than trying the above first example. In your setup (with a single IP address only) it will most likely cause problems and perhaps do the same to your ASA that it did to mine :)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...