Configure NAT rules with Cisco ASA 8.3(2)

Solutions ID:    KB5237
Version:    2.0
Status:    Published
Published date:    07/30/2012
Updated:    12/19/2013

Problem Description

Cisco made significant changes to NAT from ASA version 8.3 and above. These changes have made it possible to test IPSEC tunnel connectivity into the Blue Coat Cloud Service without any interruption to current production traffic.  These changes also allow a seamless transition from testing to fully deploying production traffic through the Blue Coat Cloud Service.

The steps below were completed using ASDM 6.4(9) which is the current version recommended by Cisco


First a NAT rule needs to be created:

The properties of the rule need to be defined:

1 – select inside interface (this is generally set to the interface that will see incoming traffic from the host/subnet)
2 – select outside interface
3 – select or create the host that will be used for testing (when testing is confirmed to work this is where you will add more test hosts and eventually all subnets that are to be redirected to the cloud)
4 – create or select the service object for HTTP (a second rule will be created for the HTTPS service)
5 – select Unidirectional (the default is set to Both)

Create a second rule that includes HTTPS as the service.  The summary of the two rules will look as follows:

These added NAT rules exempt HTTP and HTTPS from workstation1 from being NAT'ed but all other protocols from workstation1 will be NAT'ed by rule 3.


The config output of these rules for the above example is:

object network workstation1
object service HTTPS
service tcp destination eq https
object service HTTP
service tcp destination eq www

nat (inside,outside) source static workstation1 workstation1 service HTTP HTTP unidirectional
nat (inside,outside) source static workstation1 workstation1 service HTTPS HTTPS unidirectional


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question