Solutions

Testing IPSEC with Cisco ASA 8.2(5)

Solutions ID:    KB5238
Version:    2.0
Status:    Published
Published date:    07/30/2012
Updated:    12/19/2013
 

Problem Description

Cisco made significant NAT changes starting with ASA 8.3.  Prior to 8.3 there is less flexibility when incorporting the required NAT rules to allow HTTP and HTTPS to be protected by the Cloud Security Service.

Resolution

Creating a NAT exempt rule for a test host will accomplish the following:

  • allow confirmation that the IPSEC tunnel will establish
  • allow one workstation to test the Blue Coat Cloud Security Service
  • most importantly will allow all other production traffic to be unaffected by the change

NOTE - the test host MUST be able to resolve DNS from a local DNS server.  Creating an exempt rule will put all traffic from the test host into the IPSEC tunnel.  Currently Blue Coat will only intercept HTTP and HTTPS all other protocols will be dropped in the Cloud.

Using ASDM 6.4(9) the exempt rule will be created as follows:

First create an exempt rule:

Next define the test workstation as the source of the exempt rule:

The results of the NAT creation will look like the following:

The exempt rule needs to be above any other NAT rule that this test workstation might have matched.

 

The config output of above example looks as follows:

name 192.168.1.8 worksation1

access-list inside_nat0_outbound extended permit ip host worksation1 any

nat (inside) 0 access-list inside_nat0_outbound
 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question