Cisco made significant changes to NAT from ASA version 8.3 and above. These changes have made it possible to test IPSEC tunnel connectivity into the Blue Coat Cloud Service without any interruption to current production traffic. These changes also allow a seamless transition from testing to fully deploying production traffic through the Blue Coat Cloud Service.
The steps below were completed using ASDM 6.4(9) which is the current version recommended by Cisco.
First a NAT rule needs to be created:
The properties of the rule need to be defined:
1 – select inside interface (this is generally set to the interface that will see incoming traffic from the host/subnet) 2 – select outside interface 3 – select or create the host that will be used for testing through the Blue Coat Cloud Service (this is the field that needs to be changed to include more test hosts and eventually all production subnets) 4 – create or select the service object for HTTP (a second rule will be created for the HTTPS service) 5 – disable proxy ARP on egress interface (this disables direction and assumes unidirectional)
Create a second rule that includes HTTPS as the service. The summary of the two rules will look as follows:
These added NAT rules exempt HTTP and HTTPS from workstation1 from being NAT'ed but all other protocols from workstation1 will be NAT'ed by rule 3.
the config output for the example above is as follows::
object network workstation1 host 192.168.1.6 object service HTTPS service tcp destination eq https object service HTTP service tcp destination eq www
nat (inside,outside) source static workstation1 workstation1 service HTTP HTTP no-proxy-arp nat (inside,outside) source static workstation1 workstation1 service HTTPS HTTPS no-proxy-arp
Imported Document ID: 000008691
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.