Testing IPSEC with Cisco ASA 8.2(5)


<< Back to Knowledge Search

Solution

Overview

Cisco made significant NAT changes starting with ASA 8.3.  Prior to 8.3 there is less flexibility when incorporting the required NAT rules to allow HTTP and HTTPS to be protected by the Cloud Security Service.

Cause
Resolution

Creating a NAT exempt rule for a test host will accomplish the following:

  • allow confirmation that the IPSEC tunnel will establish
  • allow one workstation to test the Blue Coat Cloud Security Service
  • most importantly will allow all other production traffic to be unaffected by the change

NOTE - the test host MUST be able to resolve DNS from a local DNS server.  Creating an exempt rule will put all traffic from the test host into the IPSEC tunnel.  Currently Blue Coat will only intercept HTTP and HTTPS all other protocols will be dropped in the Cloud.

Using ASDM 6.4(9) the exempt rule will be created as follows:

First create an exempt rule:

Next define the test workstation as the source of the exempt rule:

The results of the NAT creation will look like the following:

The exempt rule needs to be above any other NAT rule that this test workstation might have matched.

 

The config output of above example looks as follows:

name 192.168.1.8 worksation1

access-list inside_nat0_outbound extended permit ip host worksation1 any

nat (inside) 0 access-list inside_nat0_outbound
 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB5238
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      Cloud IPsec VPN
Topic      Services
Article Number      000013742
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat