NAT on same interface

Unanswered Question
Sep 19th, 2007

My ( IPSEC client-VPN) ASA is connected to the DMZ of an ISA cluster. The users get an IE proxy setting via domain login which refers to the local lan interface (NLB) of the ISA's. The DMZ interface is also listening for proxy requests. I want to NAT the local LAN proxy to the DMZ proxy ( preferable PAT). A siple static (port) nat doesnt'work. Any ideas ?

Any ideas how to ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
claforest Wed, 09/19/2007 - 12:35

I would use a proxy.pac file to determine where the client is and set the PROXY where you want it to go.

Something like:


function FindProxyForURL(url, host)


var proxy_yes = "PROXY";

ver proxy_dmz = "PROXY";

var proxy_no = "DIRECT";

if (isPlainHostName(host)) { return proxy_no; }

if (dnsDomainIs(host, "")) { return proxy_no; }

if (isInNet(myIpAddress(), "", "")) { return proxy_dmz; } //VPN NETWORK

return proxy_yes;


--- END PROXY.PAC ----

mvengelen Wed, 09/19/2007 - 23:13

Good idea but as i'm no in control of the desktop of this large organisation I would rather have a "transparent" solution.

guibarati Mon, 09/24/2007 - 12:44

You can use the proxy settings of the VPN gateway, you can do that under the EzVPN policy configuration, somewhere depending of what device you are using

mvengelen Mon, 09/24/2007 - 21:25

I already set the proxy via the ms client settings that you can push via the ASA, but the issue here is that the domain login overrules tis setting because this is processed after the VPN connection is set.


This Discussion