I have a 2 devices, a Cisco ASA and sitting behind it another device. Both the Cisco and the other device have IPsec tunnels but to different locations. I need to ensure that the source port of the other device is not UDP-500 when it is NAT'd, as that is the same port as the Cisco IPsec service and so we see a problem where reply packets destined for the other device instead hit the ASA.
According to Cisco's FAQ on NAT (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html) it preserves the port where possible by default based on "Q. When configuring for PAT (overloading), what is the maximum number of translations that can be created per inside global IP address?"
Question: How can I force all PAT mappings to use source ports > 1024?
Alternatively, How can I force the ASA to ignore IPsec packets from a specific IP address and just treat them like normal NAT'd packets and forward them back to the internal device?
On linux iptables I would use something like: iptables -t nat -A POSTROUTING -o eth0 -p udp -j SNAT --to-source x.x.x.x:1024-30000
Solved it via another means, disabling IPsec access on the Cisco for the IPs that the internal device is communicating with. Did this via control-plane access lists:
(Source: https://supportforums.cisco.com/discussion/12001786/restrict-certain-ip-addresses-establishing-ipsec)