Creating a NAT exempt rule for a test host will accomplish the following:
- allow confirmation that the IPSEC tunnel will establish
- allow one workstation to test the Blue Coat Cloud Security Service
- most importantly will allow all other production traffic to be unaffected by the change
NOTE - the test host MUST be able to resolve DNS from a local DNS server. Creating an exempt rule will put all traffic from the test host into the IPSEC tunnel. Currently Blue Coat will only intercept HTTP and HTTPS all other protocols will be dropped in the Cloud.
Using ASDM 6.4(9) the exempt rule will be created as follows:
First create an exempt rule:
Next define the test workstation as the source of the exempt rule:
The results of the NAT creation will look like the following:
The exempt rule needs to be above any other NAT rule that this test workstation might have matched.
The config output of above example looks as follows:
name 192.168.1.8 worksation1
access-list inside_nat0_outbound extended permit ip host worksation1 any
nat (inside) 0 access-list inside_nat0_outbound