Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static 1-1 NAT - but exempt port 443 for SSL VPN

Hi All,


I have only 1 single IP to play around with on the outside interface.

There is a need for Anyconnect VPN Access to the outside interface


Existing config: Static 1 to 1 NAT(DMZ server) to outside interface

object network DMZ_Server

nat (any,OUTSIDE) static interface


Based on that: any incoming 443 port goes into the NAT-ed server.

How do i exempt port 443 so that the service is redirected to the SSL VPN instead?


PLease advise


Super Bronze

Hi, To my understanding the



To my understanding the ASA does not have any configuration option directly to do a Static PAT/Static NAT that ignores a certain port.


I would personally suggest simply doing Static PAT for each service that is needed. I would imagine that there are not that many services running on a single host that it would be impossible to do.


I guess if you wanted to try forward all but the port TCP/443 then you would have to make a configuration that includes all but that port.


 I do have to say that I just managed to make my home ASA unresponsive while adding this configurations so I am wondering it ran out of memory (old ASA5505) or something :)


EDIT: It might also be the fact that it reserves almost all the ports to the ASA so I would advice against using it in its current form. For example if you have SSH configured on the ASA it might cause problems with that also. If it even accepts the configuration at all


object service TCP-1-442
 service tcp source range 1 442


object service TCP-444-65534
 service tcp source range 444 65534


object network DMZ-SERVER
 host x.x.x.x


nat (dmz,outside) source static DMZ-SERVER interface service TCP-1-442 TCP-1-442
nat (dmz,outside) source static DMZ-SERVER interface service TCP-444-65534 TCP-444-65534


Though now that I am thinking the above configuration setup, would this not eat up all your ports related to PAT translations? I am not sure how the ASA would react to using this configuration (or if it would even be able to reserve the ports) if any of your internal hosts wanted to connect to the public network. I would imagine that their connections might start getting dropped after entering this configuration.


So as I said I would consider just doing Static PAT for the TCP/UDP ports that you actually need since I cant really see the above configuration being feasible. Maybe shouldnt have even included it in the post :)


For Static PAT you can use the following configuration format as an example for the ports/services needed.


object network DMZ-SERVER-TCP80
 host x.x.x.x
 nat (dmz,outside) static interface service tcp 80 80


You will need to make a separate "object" for each "nat" configurations.


- Jouni

Super Bronze

Hi, Just like to mention this



Just like to mention this with a separate post/reply


I would suggest going with separate Static PAT configurations rather than trying the above first example. In your setup (with a single IP address only) it will most likely cause problems and perhaps do the same to your ASA that it did to mine :)


- Jouni