Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


How do I NAT based on destination port while source port can be ANY

Goal - I want to forward Internet bound HTTP and HTTPS traffic  to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.

In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT

Here is a snap shot of the config:

object service Proxy_HTTP

service tcp destination eq www

object service Proxy_HTTPS

service tcp destination eq https


nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP

nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS


object network Non_Proxy

nat (any,outside) dynamic interface

PROBLEM: I need this behavior in 8.2.x  - I have found no way to mimic this.

You cannot use NAT Exemption as it cannot be port based

A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.

I don't see any of the other NAT Types working this way.

If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here